
<!DOCTYPE html>
<html lang="en" class="RFC">
<head>
<meta charset="utf-8">
<meta content="Common,Latin" name="scripts">
<meta content="initial-scale=1.0" name="viewport">
<title>RFC 9113: HTTP/2</title>
<meta content="Martin Thomson" name="author">
<meta content="Cory Benfield" name="author">
<meta content="
       This specification describes an optimized expression of the semantics of the Hypertext
        Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more
        efficient use of network resources and a
        reduced latency by introducing field compression and allowing multiple
        concurrent exchanges on the same connection. 
       This document obsoletes RFCs 7540 and 8740. 
    " name="description">
<meta content="xml2rfc 3.12.10" name="generator">
<meta content="HTTP" name="keyword">
<meta content="SPDY" name="keyword">
<meta content="Web" name="keyword">
<meta content="9113" name="rfc.number">
<!-- Generator version information:
  xml2rfc 3.12.10
    Python 3.6.15
    appdirs 1.4.4
    ConfigArgParse 1.4.1
    google-i18n-address 2.4.0
    html5lib 1.0.1
    intervaltree 3.0.2
    Jinja2 2.11.3
    kitchen 1.2.6
    lxml 4.7.1
    MarkupSafe 2.0.1
    pycairo 1.15.1
    pycountry 19.8.18
    pyflakes 2.1.1
    PyYAML 5.4.1
    requests 2.24.0
    setuptools 40.5.0
    six 1.14.0
    WeasyPrint 52.5
-->
<link href="rfc9113.xml" rel="alternate" type="application/rfc+xml">
<link href="#copyright" rel="license">
<style type="text/css">/*

  NOTE: Changes at the bottom of this file overrides some earlier settings.

  Once the style has stabilized and has been adopted as an official RFC style,
  this can be consolidated so that style settings occur only in one place, but
  for now the contents of this file consists first of the initial CSS work as
  provided to the RFC Formatter (xml2rfc) work, followed by itemized and
  commented changes found necssary during the development of the v3
  formatters.

*/

/* fonts */
@import url('https://fonts.googleapis.com/css?family=Noto+Sans'); /* Sans-serif */
@import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */
@import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */

@viewport {
  zoom: 1.0;
  width: extend-to-zoom;
}
@-ms-viewport {
  width: extend-to-zoom;
  zoom: 1.0;
}
/* general and mobile first */
html {
}
body {
  max-width: 90%;
  margin: 1.5em auto;
  color: #222;
  background-color: #fff;
  font-size: 14px;
  font-family: 'Noto Sans', Arial, Helvetica, sans-serif;
  line-height: 1.6;
  scroll-behavior: smooth;
}
.ears {
  display: none;
}

/* headings */
#title, h1, h2, h3, h4, h5, h6 {
  margin: 1em 0 0.5em;
  font-weight: bold;
  line-height: 1.3;
}
#title {
  clear: both;
  border-bottom: 1px solid #ddd;
  margin: 0 0 0.5em 0;
  padding: 1em 0 0.5em;
}
.author {
  padding-bottom: 4px;
}
h1 {
  font-size: 26px;
  margin: 1em 0;
}
h2 {
  font-size: 22px;
  margin-top: -20px;  /* provide offset for in-page anchors */
  padding-top: 33px;
}
h3 {
  font-size: 18px;
  margin-top: -36px;  /* provide offset for in-page anchors */
  padding-top: 42px;
}
h4 {
  font-size: 16px;
  margin-top: -36px;  /* provide offset for in-page anchors */
  padding-top: 42px;
}
h5, h6 {
  font-size: 14px;
}
#n-copyright-notice {
  border-bottom: 1px solid #ddd;
  padding-bottom: 1em;
  margin-bottom: 1em;
}
/* general structure */
p {
  padding: 0;
  margin: 0 0 1em 0;
  text-align: left;
}
div, span {
  position: relative;
}
div {
  margin: 0;
}
.alignRight.art-text {
  background-color: #f9f9f9;
  border: 1px solid #eee;
  border-radius: 3px;
  padding: 1em 1em 0;
  margin-bottom: 1.5em;
}
.alignRight.art-text pre {
  padding: 0;
}
.alignRight {
  margin: 1em 0;
}
.alignRight > *:first-child {
  border: none;
  margin: 0;
  float: right;
  clear: both;
}
.alignRight > *:nth-child(2) {
  clear: both;
  display: block;
  border: none;
}
svg {
  display: block;
}
.alignCenter.art-text {
  background-color: #f9f9f9;
  border: 1px solid #eee;
  border-radius: 3px;
  padding: 1em 1em 0;
  margin-bottom: 1.5em;
}
.alignCenter.art-text pre {
  padding: 0;
}
.alignCenter {
  margin: 1em 0;
}
.alignCenter > *:first-child {
  border: none;
  margin: 0 auto;
}

/* lists */
ol, ul {
  padding: 0;
  margin: 0 0 1em 2em;
}
ol ol, ul ul, ol ul, ul ol {
  margin-left: 1em;
}
li {
  margin: 0 0 0.25em 0;
}
.ulCompact li {
  margin: 0;
}
ul.empty, .ulEmpty {
  list-style-type: none;
}
ul.empty li, .ulEmpty li {
  margin-top: 0.5em;
}
ul.ulBare, li.ulBare {
  margin-left: 0em !important;
}
ul.compact, .ulCompact,
ol.compact, .olCompact {
  line-height: 100%;
  margin: 0 0 0 2em;
}

/* definition lists */
dl {
}
dl > dt {
  float: left;
  margin-right: 1em;
}
/* 
dl.nohang > dt {
  float: none;
}
*/
dl > dd {
  margin-bottom: .8em;
  min-height: 1.3em;
}
dl.compact > dd, .dlCompact > dd {
  margin-bottom: 0em;
}
dl > dd > dl {
  margin-top: 0.5em;
  margin-bottom: 0em;
}

/* links */
a {
  text-decoration: none;
}
a[href] {
  color: #22e; /* Arlen: WCAG 2019 */
}
a[href]:hover {
  background-color: #f2f2f2;
}
figcaption a[href],
a[href].selfRef {
  color: #222;
}
/* XXX probably not this:
a.selfRef:hover {
  background-color: transparent;
  cursor: default;
} */

/* Figures */
tt, code, pre, code {
  background-color: #f9f9f9;
  font-family: 'Roboto Mono', monospace;
}
pre {
  border: 1px solid #eee;
  margin: 0;
  padding: 1em;
}
img {
  max-width: 100%;
}
figure {
  margin: 0;
}
figure blockquote {
  margin: 0.8em 0.4em 0.4em;
}
figcaption {
  font-style: italic;
  margin: 0 0 1em 0;
}
@media screen {
  pre {
    overflow-x: auto;
    max-width: 100%;
    max-width: calc(100% - 22px);
  }
}

/* aside, blockquote */
aside, blockquote {
  margin-left: 0;
  padding: 1.2em 2em;
}
blockquote {
  background-color: #f9f9f9;
  color: #111; /* Arlen: WCAG 2019 */
  border: 1px solid #ddd;
  border-radius: 3px;
  margin: 1em 0;
}
cite {
  display: block;
  text-align: right;
  font-style: italic;
}

/* tables */
table {
  width: 100%;
  margin: 0 0 1em;
  border-collapse: collapse;
  border: 1px solid #eee;
}
th, td {
  text-align: left;
  vertical-align: top;
  padding: 0.5em 0.75em;
}
th {
  text-align: left;
  background-color: #e9e9e9;
}
tr:nth-child(2n+1) > td {
  background-color: #f5f5f5;
}
table caption {
  font-style: italic;
  margin: 0;
  padding: 0;
  text-align: left;
}
table p {
  /* XXX to avoid bottom margin on table row signifiers. If paragraphs should
     be allowed within tables more generally, it would be far better to select on a class. */
  margin: 0;
}

/* pilcrow */
a.pilcrow {
  color: #666; /* Arlen: AHDJ 2019 */
  text-decoration: none;
  visibility: hidden;
  user-select: none;
  -ms-user-select: none;
  -o-user-select:none;
  -moz-user-select: none;
  -khtml-user-select: none;
  -webkit-user-select: none;
  -webkit-touch-callout: none;
}
@media screen {
  aside:hover > a.pilcrow,
  p:hover > a.pilcrow,
  blockquote:hover > a.pilcrow,
  div:hover > a.pilcrow,
  li:hover > a.pilcrow,
  pre:hover > a.pilcrow {
    visibility: visible;
  }
  a.pilcrow:hover {
    background-color: transparent;
  }
}

/* misc */
hr {
  border: 0;
  border-top: 1px solid #eee;
}
.bcp14 {
  font-variant: small-caps;
}

.role {
  font-variant: all-small-caps;
}

/* info block */
#identifiers {
  margin: 0;
  font-size: 0.9em;
}
#identifiers dt {
  width: 3em;
  clear: left;
}
#identifiers dd {
  float: left;
  margin-bottom: 0;
}
/* Fix PDF info block run off issue */
@media print {
  #identifiers dd {
    float: none;
  }
}
#identifiers .authors .author {
  display: inline-block;
  margin-right: 1.5em;
}
#identifiers .authors .org {
  font-style: italic;
}

/* The prepared/rendered info at the very bottom of the page */
.docInfo {
  color: #666; /* Arlen: WCAG 2019 */
  font-size: 0.9em;
  font-style: italic;
  margin-top: 2em;
}
.docInfo .prepared {
  float: left;
}
.docInfo .prepared {
  float: right;
}

/* table of contents */
#toc  {
  padding: 0.75em 0 2em 0;
  margin-bottom: 1em;
}
nav.toc ul {
  margin: 0 0.5em 0 0;
  padding: 0;
  list-style: none;
}
nav.toc li {
  line-height: 1.3em;
  margin: 0.75em 0;
  padding-left: 1.2em;
  text-indent: -1.2em;
}
/* references */
.references dt {
  text-align: right;
  font-weight: bold;
  min-width: 7em;
}
.references dd {
  margin-left: 8em;
  overflow: auto;
}

.refInstance {
  margin-bottom: 1.25em;
}

.references .ascii {
  margin-bottom: 0.25em;
}

/* index */
.index ul {
  margin: 0 0 0 1em;
  padding: 0;
  list-style: none;
}
.index ul ul {
  margin: 0;
}
.index li {
  margin: 0;
  text-indent: -2em;
  padding-left: 2em;
  padding-bottom: 5px;
}
.indexIndex {
  margin: 0.5em 0 1em;
}
.index a {
  font-weight: 700;
}
/* make the index two-column on all but the smallest screens */
@media (min-width: 600px) {
  .index ul {
    -moz-column-count: 2;
    -moz-column-gap: 20px;
  }
  .index ul ul {
    -moz-column-count: 1;
    -moz-column-gap: 0;
  }
}

/* authors */
address.vcard {
  font-style: normal;
  margin: 1em 0;
}

address.vcard .nameRole {
  font-weight: 700;
  margin-left: 0;
}
address.vcard .label {
  font-family: "Noto Sans",Arial,Helvetica,sans-serif;
  margin: 0.5em 0;
}
address.vcard .type {
  display: none;
}
.alternative-contact {
  margin: 1.5em 0 1em;
}
hr.addr {
  border-top: 1px dashed;
  margin: 0;
  color: #ddd;
  max-width: calc(100% - 16px);
}

/* temporary notes */
.rfcEditorRemove::before {
  position: absolute;
  top: 0.2em;
  right: 0.2em;
  padding: 0.2em;
  content: "The RFC Editor will remove this note";
  color: #9e2a00; /* Arlen: WCAG 2019 */
  background-color: #ffd; /* Arlen: WCAG 2019 */
}
.rfcEditorRemove {
  position: relative;
  padding-top: 1.8em;
  background-color: #ffd; /* Arlen: WCAG 2019 */
  border-radius: 3px;
}
.cref {
  background-color: #ffd; /* Arlen: WCAG 2019 */
  padding: 2px 4px;
}
.crefSource {
  font-style: italic;
}
/* alternative layout for smaller screens */
@media screen and (max-width: 1023px) {
  body {
    padding-top: 2em;
  }
  #title {
    padding: 1em 0;
  }
  h1 {
    font-size: 24px;
  }
  h2 {
    font-size: 20px;
    margin-top: -18px;  /* provide offset for in-page anchors */
    padding-top: 38px;
  }
  #identifiers dd {
    max-width: 60%;
  }
  #toc {
    position: fixed;
    z-index: 2;
    top: 0;
    right: 0;
    padding: 0;
    margin: 0;
    background-color: inherit;
    border-bottom: 1px solid #ccc;
  }
  #toc h2 {
    margin: -1px 0 0 0;
    padding: 4px 0 4px 6px;
    padding-right: 1em;
    min-width: 190px;
    font-size: 1.1em;
    text-align: right;
    background-color: #444;
    color: white;
    cursor: pointer;
  }
  #toc h2::before { /* css hamburger */
    float: right;
    position: relative;
    width: 1em;
    height: 1px;
    left: -164px;
    margin: 6px 0 0 0;
    background: white none repeat scroll 0 0;
    box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
    content: "";
  }
  #toc nav {
    display: none;
    padding: 0.5em 1em 1em;
    overflow: auto;
    height: calc(100vh - 48px);
    border-left: 1px solid #ddd;
  }
}

/* alternative layout for wide screens */
@media screen and (min-width: 1024px) {
  body {
    max-width: 724px;
    margin: 42px auto;
    padding-left: 1.5em;
    padding-right: 29em;
  }
  #toc {
    position: fixed;
    top: 42px;
    right: 42px;
    width: 25%;
    margin: 0;
    padding: 0 1em;
    z-index: 1;
  }
  #toc h2 {
    border-top: none;
    border-bottom: 1px solid #ddd;
    font-size: 1em;
    font-weight: normal;
    margin: 0;
    padding: 0.25em 1em 1em 0;
  }
  #toc nav {
    display: block;
    height: calc(90vh - 84px);
    bottom: 0;
    padding: 0.5em 0 0;
    overflow: auto;
  }
  img { /* future proofing */
    max-width: 100%;
    height: auto;
  }
}

/* pagination */
@media print {
  body {

    width: 100%;
  }
  p {
    orphans: 3;
    widows: 3;
  }
  #n-copyright-notice {
    border-bottom: none;
  }
  #toc, #n-introduction {
    page-break-before: always;
  }
  #toc {
    border-top: none;
    padding-top: 0;
  }
  figure, pre {
    page-break-inside: avoid;
  }
  figure {
    overflow: scroll;
  }
  pre.breakable {
    break-inside: auto;
  }
  h1, h2, h3, h4, h5, h6 {
    page-break-after: avoid;
  }
  h2+*, h3+*, h4+*, h5+*, h6+* {
    page-break-before: avoid;
  }
  pre {
    white-space: pre-wrap;
    word-wrap: break-word;
    font-size: 10pt;
  }
  table {
    border: 1px solid #ddd;
  }
  td {
    border-top: 1px solid #ddd;
  }
}

/* This is commented out here, as the string-set: doesn't
   pass W3C validation currently */
/*
.ears thead .left {
  string-set: ears-top-left content();
}

.ears thead .center {
  string-set: ears-top-center content();
}

.ears thead .right {
  string-set: ears-top-right content();
}

.ears tfoot .left {
  string-set: ears-bottom-left content();
}

.ears tfoot .center {
  string-set: ears-bottom-center content();
}

.ears tfoot .right {
  string-set: ears-bottom-right content();
}
*/

@page :first {
  padding-top: 0;
  @top-left {
    content: normal;
    border: none;
  }
  @top-center {
    content: normal;
    border: none;
  }
  @top-right {
    content: normal;
    border: none;
  }
}

@page {
  size: A4;
  margin-bottom: 45mm;
  padding-top: 20px;
  /* The follwing is commented out here, but set appropriately by in code, as
     the content depends on the document */
  /*
  @top-left {
    content: 'Internet-Draft';
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-left {
    content: string(ears-top-left);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-center {
    content: string(ears-top-center);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-right {
    content: string(ears-top-right);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @bottom-left {
    content: string(ears-bottom-left);
    vertical-align: top;
    border-top: solid 1px #ccc;
  }
  @bottom-center {
    content: string(ears-bottom-center);
    vertical-align: top;
    border-top: solid 1px #ccc;
  }
  @bottom-right {
      content: '[Page ' counter(page) ']';
      vertical-align: top;
      border-top: solid 1px #ccc;
  }
  */

}

/* Changes introduced to fix issues found during implementation */
/* Make sure links are clickable even if overlapped by following H* */
a {
  z-index: 2;
}
/* Separate body from document info even without intervening H1 */
section {
  clear: both;
}


/* Top align author divs, to avoid names without organization dropping level with org names */
.author {
  vertical-align: top;
}

/* Leave room in document info to show Internet-Draft on one line */
#identifiers dt {
  width: 8em;
}

/* Don't waste quite as much whitespace between label and value in doc info */
#identifiers dd {
  margin-left: 1em;
}

/* Give floating toc a background color (needed when it's a div inside section */
#toc {
  background-color: white;
}

/* Make the collapsed ToC header render white on gray also when it's a link */
@media screen and (max-width: 1023px) {
  #toc h2 a,
  #toc h2 a:link,
  #toc h2 a:focus,
  #toc h2 a:hover,
  #toc a.toplink,
  #toc a.toplink:hover {
    color: white;
    background-color: #444;
    text-decoration: none;
  }
}

/* Give the bottom of the ToC some whitespace */
@media screen and (min-width: 1024px) {
  #toc {
    padding: 0 0 1em 1em;
  }
}

/* Style section numbers with more space between number and title */
.section-number {
  padding-right: 0.5em;
}

/* prevent monospace from becoming overly large */
tt, code, pre, code {
  font-size: 95%;
}

/* Fix the height/width aspect for ascii art*/
pre.sourcecode,
.art-text pre {
  line-height: 1.12;
}


/* Add styling for a link in the ToC that points to the top of the document */
a.toplink {
  float: right;
  margin-right: 0.5em;
}

/* Fix the dl styling to match the RFC 7992 attributes */
dl > dt,
dl.dlParallel > dt {
  float: left;
  margin-right: 1em;
}
dl.dlNewline > dt {
  float: none;
}

/* Provide styling for table cell text alignment */
table td.text-left,
table th.text-left {
  text-align: left;
}
table td.text-center,
table th.text-center {
  text-align: center;
}
table td.text-right,
table th.text-right {
  text-align: right;
}

/* Make the alternative author contact informatio look less like just another
   author, and group it closer with the primary author contact information */
.alternative-contact {
  margin: 0.5em 0 0.25em 0;
}
address .non-ascii {
  margin: 0 0 0 2em;
}

/* With it being possible to set tables with alignment
  left, center, and right, { width: 100%; } does not make sense */
table {
  width: auto;
}

/* Avoid reference text that sits in a block with very wide left margin,
   because of a long floating dt label.*/
.references dd {
  overflow: visible;
}

/* Control caption placement */
caption {
  caption-side: bottom;
}

/* Limit the width of the author address vcard, so names in right-to-left
   script don't end up on the other side of the page. */

address.vcard {
  max-width: 30em;
  margin-right: auto;
}

/* For address alignment dependent on LTR or RTL scripts */
address div.left {
  text-align: left;
}
address div.right {
  text-align: right;
}

/* Provide table alignment support.  We can't use the alignX classes above
   since they do unwanted things with caption and other styling. */
table.right {
 margin-left: auto;
 margin-right: 0;
}
table.center {
 margin-left: auto;
 margin-right: auto;
}
table.left {
 margin-left: 0;
 margin-right: auto;
}

/* Give the table caption label the same styling as the figcaption */
caption a[href] {
  color: #222;
}

@media print {
  .toplink {
    display: none;
  }

  /* avoid overwriting the top border line with the ToC header */
  #toc {
    padding-top: 1px;
  }

  /* Avoid page breaks inside dl and author address entries */
  .vcard {
    page-break-inside: avoid;
  }

}
/* Tweak the bcp14 keyword presentation */
.bcp14 {
  font-variant: small-caps;
  font-weight: bold;
  font-size: 0.9em;
}
/* Tweak the invisible space above H* in order not to overlay links in text above */
 h2 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 31px;
 }
 h3 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 24px;
 }
 h4 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 24px;
 }
/* Float artwork pilcrow to the right */
@media screen {
  .artwork a.pilcrow {
    display: block;
    line-height: 0.7;
    margin-top: 0.15em;
  }
}
/* Make pilcrows on dd visible */
@media screen {
  dd:hover > a.pilcrow {
    visibility: visible;
  }
}
/* Make the placement of figcaption match that of a table's caption
   by removing the figure's added bottom margin */
.alignLeft.art-text,
.alignCenter.art-text,
.alignRight.art-text {
   margin-bottom: 0;
}
.alignLeft,
.alignCenter,
.alignRight {
  margin: 1em 0 0 0;
}
/* In print, the pilcrow won't show on hover, so prevent it from taking up space,
   possibly even requiring a new line */
@media print {
  a.pilcrow {
    display: none;
  }
}
/* Styling for the external metadata */
div#external-metadata {
  background-color: #eee;
  padding: 0.5em;
  margin-bottom: 0.5em;
  display: none;
}
div#internal-metadata {
  padding: 0.5em;                       /* to match the external-metadata padding */
}
/* Styling for title RFC Number */
h1#rfcnum {
  clear: both;
  margin: 0 0 -1em;
  padding: 1em 0 0 0;
}
/* Make .olPercent look the same as <ol><li> */
dl.olPercent > dd {
  margin-bottom: 0.25em;
  min-height: initial;
}
/* Give aside some styling to set it apart */
aside {
  border-left: 1px solid #ddd;
  margin: 1em 0 1em 2em;
  padding: 0.2em 2em;
}
aside > dl,
aside > ol,
aside > ul,
aside > table,
aside > p {
  margin-bottom: 0.5em;
}
/* Additional page break settings */
@media print {
  figcaption, table caption {
    page-break-before: avoid;
  }
}
/* Font size adjustments for print */
@media print {
  body  { font-size: 10pt;      line-height: normal; max-width: 96%; }
  h1    { font-size: 1.72em;    padding-top: 1.5em; } /* 1*1.2*1.2*1.2 */
  h2    { font-size: 1.44em;    padding-top: 1.5em; } /* 1*1.2*1.2 */
  h3    { font-size: 1.2em;     padding-top: 1.5em; } /* 1*1.2 */
  h4    { font-size: 1em;       padding-top: 1.5em; }
  h5, h6 { font-size: 1em;      margin: initial; padding: 0.5em 0 0.3em; }
}
/* Sourcecode margin in print, when there's no pilcrow */
@media print {
  .artwork,
  .sourcecode {
    margin-bottom: 1em;
  }
}
/* Avoid narrow tables forcing too narrow table captions, which may render badly */
table {
  min-width: 20em;
}
/* ol type a */
ol.type-a { list-style-type: lower-alpha; }
ol.type-A { list-style-type: upper-alpha; }
ol.type-i { list-style-type: lower-roman; }
ol.type-I { list-style-type: lower-roman; }
/* Apply the print table and row borders in general, on request from the RPC,
and increase the contrast between border and odd row background sligthtly */
table {
  border: 1px solid #ddd;
}
td {
  border-top: 1px solid #ddd;
}
tr:nth-child(2n+1) > td {
  background-color: #f8f8f8;
}
/* Use style rules to govern display of the TOC. */
@media screen and (max-width: 1023px) {
  #toc nav { display: none; }
  #toc.active nav { display: block; }
}
/* Add support for keepWithNext */
.keepWithNext {
  break-after: avoid-page;
  break-after: avoid-page;
}
/* Add support for keepWithPrevious */
.keepWithPrevious {
  break-before: avoid-page;
}
/* Change the approach to avoiding breaks inside artwork etc. */
figure, pre, table, .artwork, .sourcecode  {
  break-before: auto;
  break-after: auto;
}
/* Avoid breaks between <dt> and <dd> */
dl {
  break-before: auto;
  break-inside: auto;
}
dt {
  break-before: auto;
  break-after: avoid-page;
}
dd {
  break-before: avoid-page;
  break-after: auto;
  orphans: 3;
  widows: 3
}
span.break, dd.break {
  margin-bottom: 0;
  min-height: 0;
  break-before: auto;
  break-inside: auto;
  break-after: auto;
}
/* Undo break-before ToC */
@media print {
  #toc {
    break-before: auto;
  }
}
/* Text in compact lists should not get extra bottim margin space,
   since that would makes the list not compact */
ul.compact p, .ulCompact p,
ol.compact p, .olCompact p {
 margin: 0;
}
/* But the list as a whole needs the extra space at the end */
section ul.compact,
section .ulCompact,
section ol.compact,
section .olCompact {
  margin-bottom: 1em;                    /* same as p not within ul.compact etc. */
}
/* The tt and code background above interferes with for instance table cell
   backgrounds.  Changed to something a bit more selective. */
tt, code {
  background-color: transparent;
}
p tt, p code, li tt, li code {
  background-color: #f8f8f8;
}
/* Tweak the pre margin -- 0px doesn't come out well */
pre {
   margin-top: 0.5px;
}
/* Tweak the comact list text */
ul.compact, .ulCompact,
ol.compact, .olCompact,
dl.compact, .dlCompact {
  line-height: normal;
}
/* Don't add top margin for nested lists */
li > ul, li > ol, li > dl,
dd > ul, dd > ol, dd > dl,
dl > dd > dl {
  margin-top: initial;
}
/* Elements that should not be rendered on the same line as a <dt> */
/* This should match the element list in writer.text.TextWriter.render_dl() */
dd > div.artwork:first-child,
dd > aside:first-child,
dd > figure:first-child,
dd > ol:first-child,
dd > div:first-child > pre.sourcecode,
dd > table:first-child,
dd > ul:first-child {
  clear: left;
}
/* fix for weird browser behaviour when <dd/> is empty */
dt+dd:empty::before{
  content: "\00a0";
}
/* Make paragraph spacing inside <li> smaller than in body text, to fit better within the list */
li > p {
  margin-bottom: 0.5em
}
/* Don't let p margin spill out from inside list items */
li > p:last-of-type {
  margin-bottom: 0;
}
</style>
<link href="rfc-local.css" rel="stylesheet" type="text/css">
<link href="https://dx.doi.org/10.17487/rfc9113" rel="alternate">
  <link href="urn:issn:2070-1721" rel="alternate">
  <link href="https://datatracker.ietf.org/doc/draft-ietf-httpbis-http2bis-latest" rel="prev">
  </head>
<body>
<script src="https://www.rfc-editor.org/js/metadata.min.js"></script>
<table class="ears">
<thead><tr>
<td class="left">RFC 9113</td>
<td class="center">HTTP/2</td>
<td class="right">June 2022</td>
</tr></thead>
<tfoot><tr>
<td class="left">Thomson &amp; Benfield</td>
<td class="center">Standards Track</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
<div id="external-metadata" class="document-information"></div>
<div id="internal-metadata" class="document-information">
<dl id="identifiers">
<dt class="label-stream">Stream:</dt>
<dd class="stream">Internet Engineering Task Force (IETF)</dd>
<dt class="label-rfc">RFC:</dt>
<dd class="rfc"><a href="https://www.rfc-editor.org/rfc/rfc9113" class="eref">9113</a></dd>
<dt class="label-obsoletes">Obsoletes:</dt>
<dd class="obsoletes">
<a href="https://www.rfc-editor.org/rfc/rfc7540" class="eref">7540</a>, <a href="https://www.rfc-editor.org/rfc/rfc8740" class="eref">8740</a> </dd>
<dt class="label-category">Category:</dt>
<dd class="category">Standards Track</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2022-06" class="published">June 2022</time>
    </dd>
<dt class="label-issn">ISSN:</dt>
<dd class="issn">2070-1721</dd>
<dt class="label-authors">Authors:</dt>
<dd class="authors">
<div class="author">
      <div class="author-name">M. Thomson, <span class="editor">Ed.</span>
</div>
<div class="org">Mozilla</div>
</div>
<div class="author">
      <div class="author-name">C. Benfield, <span class="editor">Ed.</span>
</div>
<div class="org">Apple Inc.</div>
</div>
</dd>
</dl>
</div>
<h1 id="rfcnum">RFC 9113</h1>
<h1 id="title">HTTP/2</h1>
<section id="section-abstract">
      <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
<p id="section-abstract-1">This specification describes an optimized expression of the semantics of the Hypertext
        Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more
        efficient use of network resources and a
        reduced latency by introducing field compression and allowing multiple
        concurrent exchanges on the same connection.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
<p id="section-abstract-2">This document obsoletes RFCs 7540 and 8740.<a href="#section-abstract-2" class="pilcrow">¶</a></p>
</section>
<div id="status-of-memo">
<section id="section-boilerplate.1">
        <h2 id="name-status-of-this-memo">
<a href="#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
        </h2>
<p id="section-boilerplate.1-1">
            This is an Internet Standards Track document.<a href="#section-boilerplate.1-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-2">
            This document is a product of the Internet Engineering Task Force
            (IETF).  It represents the consensus of the IETF community.  It has
            received public review and has been approved for publication by
            the Internet Engineering Steering Group (IESG).  Further
            information on Internet Standards is available in Section 2 of 
            RFC 7841.<a href="#section-boilerplate.1-2" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-3">
            Information about the current status of this document, any
            errata, and how to provide feedback on it may be obtained at
            <span><a href="https://www.rfc-editor.org/info/rfc9113">https://www.rfc-editor.org/info/rfc9113</a></span>.<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="copyright">
<section id="section-boilerplate.2">
        <h2 id="name-copyright-notice">
<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
        </h2>
<p id="section-boilerplate.2-1">
            Copyright (c) 2022 IETF Trust and the persons identified as the
            document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.2-2">
            This document is subject to BCP 78 and the IETF Trust's Legal
            Provisions Relating to IETF Documents
            (<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
            publication of this document. Please review these documents
            carefully, as they describe your rights and restrictions with
            respect to this document. Code Components extracted from this
            document must include Revised BSD License text as described in
            Section 4.e of the Trust Legal Provisions and are provided without
            warranty as described in the Revised BSD License.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="toc">
<section id="section-toc.1">
        <a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
        </h2>
<nav class="toc"><ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1">
            <p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="xref">1</a>.  <a href="#name-introduction" class="xref">Introduction</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2">
            <p id="section-toc.1-1.2.1"><a href="#section-2" class="xref">2</a>.  <a href="#name-http-2-protocol-overview" class="xref">HTTP/2 Protocol Overview</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.1">
                <p id="section-toc.1-1.2.2.1.1" class="keepWithNext"><a href="#section-2.1" class="xref">2.1</a>.  <a href="#name-document-organization" class="xref">Document Organization</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.2">
                <p id="section-toc.1-1.2.2.2.1" class="keepWithNext"><a href="#section-2.2" class="xref">2.2</a>.  <a href="#name-conventions-and-terminology" class="xref">Conventions and Terminology</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3">
            <p id="section-toc.1-1.3.1"><a href="#section-3" class="xref">3</a>.  <a href="#name-starting-http-2" class="xref">Starting HTTP/2</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.1">
                <p id="section-toc.1-1.3.2.1.1"><a href="#section-3.1" class="xref">3.1</a>.  <a href="#name-http-2-version-identificati" class="xref">HTTP/2 Version Identification</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.2">
                <p id="section-toc.1-1.3.2.2.1"><a href="#section-3.2" class="xref">3.2</a>.  <a href="#name-starting-http-2-for-https-u" class="xref">Starting HTTP/2 for "<code>https</code>" URIs</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.3">
                <p id="section-toc.1-1.3.2.3.1"><a href="#section-3.3" class="xref">3.3</a>.  <a href="#name-starting-http-2-with-prior-" class="xref">Starting HTTP/2 with Prior Knowledge</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.4">
                <p id="section-toc.1-1.3.2.4.1"><a href="#section-3.4" class="xref">3.4</a>.  <a href="#name-http-2-connection-preface" class="xref">HTTP/2 Connection Preface</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4">
            <p id="section-toc.1-1.4.1"><a href="#section-4" class="xref">4</a>.  <a href="#name-http-frames" class="xref">HTTP Frames</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.1">
                <p id="section-toc.1-1.4.2.1.1"><a href="#section-4.1" class="xref">4.1</a>.  <a href="#name-frame-format" class="xref">Frame Format</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.2">
                <p id="section-toc.1-1.4.2.2.1"><a href="#section-4.2" class="xref">4.2</a>.  <a href="#name-frame-size" class="xref">Frame Size</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.3">
                <p id="section-toc.1-1.4.2.3.1"><a href="#section-4.3" class="xref">4.3</a>.  <a href="#name-field-section-compression-a" class="xref">Field Section Compression and Decompression</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.3.2.1">
                    <p id="section-toc.1-1.4.2.3.2.1.1"><a href="#section-4.3.1" class="xref">4.3.1</a>.  <a href="#name-compression-state" class="xref">Compression State</a></p>
</li>
                </ul>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5">
            <p id="section-toc.1-1.5.1"><a href="#section-5" class="xref">5</a>.  <a href="#name-streams-and-multiplexing" class="xref">Streams and Multiplexing</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.1">
                <p id="section-toc.1-1.5.2.1.1"><a href="#section-5.1" class="xref">5.1</a>.  <a href="#name-stream-states" class="xref">Stream States</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.1.2.1">
                    <p id="section-toc.1-1.5.2.1.2.1.1"><a href="#section-5.1.1" class="xref">5.1.1</a>.  <a href="#name-stream-identifiers" class="xref">Stream Identifiers</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.1.2.2">
                    <p id="section-toc.1-1.5.2.1.2.2.1"><a href="#section-5.1.2" class="xref">5.1.2</a>.  <a href="#name-stream-concurrency" class="xref">Stream Concurrency</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.2">
                <p id="section-toc.1-1.5.2.2.1"><a href="#section-5.2" class="xref">5.2</a>.  <a href="#name-flow-control" class="xref">Flow Control</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.2.2.1">
                    <p id="section-toc.1-1.5.2.2.2.1.1"><a href="#section-5.2.1" class="xref">5.2.1</a>.  <a href="#name-flow-control-principles" class="xref">Flow-Control Principles</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.2.2.2">
                    <p id="section-toc.1-1.5.2.2.2.2.1"><a href="#section-5.2.2" class="xref">5.2.2</a>.  <a href="#name-appropriate-use-of-flow-con" class="xref">Appropriate Use of Flow Control</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.2.2.3">
                    <p id="section-toc.1-1.5.2.2.2.3.1"><a href="#section-5.2.3" class="xref">5.2.3</a>.  <a href="#name-flow-control-performance" class="xref">Flow-Control Performance</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.3">
                <p id="section-toc.1-1.5.2.3.1"><a href="#section-5.3" class="xref">5.3</a>.  <a href="#name-prioritization" class="xref">Prioritization</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.3.2.1">
                    <p id="section-toc.1-1.5.2.3.2.1.1"><a href="#section-5.3.1" class="xref">5.3.1</a>.  <a href="#name-background-on-priority-in-r" class="xref">Background on Priority in RFC 7540</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.3.2.2">
                    <p id="section-toc.1-1.5.2.3.2.2.1"><a href="#section-5.3.2" class="xref">5.3.2</a>.  <a href="#name-priority-signaling-in-this-" class="xref">Priority Signaling in This Document</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.4">
                <p id="section-toc.1-1.5.2.4.1"><a href="#section-5.4" class="xref">5.4</a>.  <a href="#name-error-handling" class="xref">Error Handling</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.4.2.1">
                    <p id="section-toc.1-1.5.2.4.2.1.1"><a href="#section-5.4.1" class="xref">5.4.1</a>.  <a href="#name-connection-error-handling" class="xref">Connection Error Handling</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.4.2.2">
                    <p id="section-toc.1-1.5.2.4.2.2.1"><a href="#section-5.4.2" class="xref">5.4.2</a>.  <a href="#name-stream-error-handling" class="xref">Stream Error Handling</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.4.2.3">
                    <p id="section-toc.1-1.5.2.4.2.3.1"><a href="#section-5.4.3" class="xref">5.4.3</a>.  <a href="#name-connection-termination" class="xref">Connection Termination</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.5">
                <p id="section-toc.1-1.5.2.5.1"><a href="#section-5.5" class="xref">5.5</a>.  <a href="#name-extending-http-2" class="xref">Extending HTTP/2</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6">
            <p id="section-toc.1-1.6.1"><a href="#section-6" class="xref">6</a>.  <a href="#name-frame-definitions" class="xref">Frame Definitions</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.1">
                <p id="section-toc.1-1.6.2.1.1"><a href="#section-6.1" class="xref">6.1</a>.  <a href="#name-data" class="xref">DATA</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2">
                <p id="section-toc.1-1.6.2.2.1"><a href="#section-6.2" class="xref">6.2</a>.  <a href="#name-headers" class="xref">HEADERS</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3">
                <p id="section-toc.1-1.6.2.3.1"><a href="#section-6.3" class="xref">6.3</a>.  <a href="#name-priority" class="xref">PRIORITY</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.4">
                <p id="section-toc.1-1.6.2.4.1"><a href="#section-6.4" class="xref">6.4</a>.  <a href="#name-rst_stream" class="xref">RST_STREAM</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.5">
                <p id="section-toc.1-1.6.2.5.1"><a href="#section-6.5" class="xref">6.5</a>.  <a href="#name-settings" class="xref">SETTINGS</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.5.2.1">
                    <p id="section-toc.1-1.6.2.5.2.1.1"><a href="#section-6.5.1" class="xref">6.5.1</a>.  <a href="#name-settings-format" class="xref">SETTINGS Format</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.5.2.2">
                    <p id="section-toc.1-1.6.2.5.2.2.1"><a href="#section-6.5.2" class="xref">6.5.2</a>.  <a href="#name-defined-settings" class="xref">Defined Settings</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.5.2.3">
                    <p id="section-toc.1-1.6.2.5.2.3.1"><a href="#section-6.5.3" class="xref">6.5.3</a>.  <a href="#name-settings-synchronization" class="xref">Settings Synchronization</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.6">
                <p id="section-toc.1-1.6.2.6.1"><a href="#section-6.6" class="xref">6.6</a>.  <a href="#name-push_promise" class="xref">PUSH_PROMISE</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.7">
                <p id="section-toc.1-1.6.2.7.1"><a href="#section-6.7" class="xref">6.7</a>.  <a href="#name-ping" class="xref">PING</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.8">
                <p id="section-toc.1-1.6.2.8.1"><a href="#section-6.8" class="xref">6.8</a>.  <a href="#name-goaway" class="xref">GOAWAY</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.9">
                <p id="section-toc.1-1.6.2.9.1"><a href="#section-6.9" class="xref">6.9</a>.  <a href="#name-window_update" class="xref">WINDOW_UPDATE</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.9.2.1">
                    <p id="section-toc.1-1.6.2.9.2.1.1"><a href="#section-6.9.1" class="xref">6.9.1</a>.  <a href="#name-the-flow-control-window" class="xref">The Flow-Control Window</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.9.2.2">
                    <p id="section-toc.1-1.6.2.9.2.2.1"><a href="#section-6.9.2" class="xref">6.9.2</a>.  <a href="#name-initial-flow-control-window" class="xref">Initial Flow-Control Window Size</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.9.2.3">
                    <p id="section-toc.1-1.6.2.9.2.3.1"><a href="#section-6.9.3" class="xref">6.9.3</a>.  <a href="#name-reducing-the-stream-window-" class="xref">Reducing the Stream Window Size</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.10">
                <p id="section-toc.1-1.6.2.10.1"><a href="#section-6.10" class="xref">6.10</a>. <a href="#name-continuation" class="xref">CONTINUATION</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7">
            <p id="section-toc.1-1.7.1"><a href="#section-7" class="xref">7</a>.  <a href="#name-error-codes" class="xref">Error Codes</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8">
            <p id="section-toc.1-1.8.1"><a href="#section-8" class="xref">8</a>.  <a href="#name-expressing-http-semantics-i" class="xref">Expressing HTTP Semantics in HTTP/2</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.1">
                <p id="section-toc.1-1.8.2.1.1"><a href="#section-8.1" class="xref">8.1</a>.  <a href="#name-http-message-framing" class="xref">HTTP Message Framing</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.1.2.1">
                    <p id="section-toc.1-1.8.2.1.2.1.1"><a href="#section-8.1.1" class="xref">8.1.1</a>.  <a href="#name-malformed-messages" class="xref">Malformed Messages</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.2">
                <p id="section-toc.1-1.8.2.2.1"><a href="#section-8.2" class="xref">8.2</a>.  <a href="#name-http-fields" class="xref">HTTP Fields</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.2.2.1">
                    <p id="section-toc.1-1.8.2.2.2.1.1"><a href="#section-8.2.1" class="xref">8.2.1</a>.  <a href="#name-field-validity" class="xref">Field Validity</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.2.2.2">
                    <p id="section-toc.1-1.8.2.2.2.2.1"><a href="#section-8.2.2" class="xref">8.2.2</a>.  <a href="#name-connection-specific-header-" class="xref">Connection-Specific Header Fields</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.2.2.3">
                    <p id="section-toc.1-1.8.2.2.2.3.1"><a href="#section-8.2.3" class="xref">8.2.3</a>.  <a href="#name-compressing-the-cookie-head" class="xref">Compressing the Cookie Header Field</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.3">
                <p id="section-toc.1-1.8.2.3.1"><a href="#section-8.3" class="xref">8.3</a>.  <a href="#name-http-control-data" class="xref">HTTP Control Data</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.3.2.1">
                    <p id="section-toc.1-1.8.2.3.2.1.1"><a href="#section-8.3.1" class="xref">8.3.1</a>.  <a href="#name-request-pseudo-header-field" class="xref">Request Pseudo-Header Fields</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.3.2.2">
                    <p id="section-toc.1-1.8.2.3.2.2.1"><a href="#section-8.3.2" class="xref">8.3.2</a>.  <a href="#name-response-pseudo-header-fiel" class="xref">Response Pseudo-Header Fields</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.4">
                <p id="section-toc.1-1.8.2.4.1"><a href="#section-8.4" class="xref">8.4</a>.  <a href="#name-server-push" class="xref">Server Push</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.4.2.1">
                    <p id="section-toc.1-1.8.2.4.2.1.1"><a href="#section-8.4.1" class="xref">8.4.1</a>.  <a href="#name-push-requests" class="xref">Push Requests</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.4.2.2">
                    <p id="section-toc.1-1.8.2.4.2.2.1"><a href="#section-8.4.2" class="xref">8.4.2</a>.  <a href="#name-push-responses" class="xref">Push Responses</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.5">
                <p id="section-toc.1-1.8.2.5.1"><a href="#section-8.5" class="xref">8.5</a>.  <a href="#name-the-connect-method" class="xref">The CONNECT Method</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.6">
                <p id="section-toc.1-1.8.2.6.1"><a href="#section-8.6" class="xref">8.6</a>.  <a href="#name-the-upgrade-header-field" class="xref">The Upgrade Header Field</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.7">
                <p id="section-toc.1-1.8.2.7.1"><a href="#section-8.7" class="xref">8.7</a>.  <a href="#name-request-reliability" class="xref">Request Reliability</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.8">
                <p id="section-toc.1-1.8.2.8.1"><a href="#section-8.8" class="xref">8.8</a>.  <a href="#name-examples" class="xref">Examples</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.8.2.1">
                    <p id="section-toc.1-1.8.2.8.2.1.1"><a href="#section-8.8.1" class="xref">8.8.1</a>.  <a href="#name-simple-request" class="xref">Simple Request</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.8.2.2">
                    <p id="section-toc.1-1.8.2.8.2.2.1"><a href="#section-8.8.2" class="xref">8.8.2</a>.  <a href="#name-simple-response" class="xref">Simple Response</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.8.2.3">
                    <p id="section-toc.1-1.8.2.8.2.3.1"><a href="#section-8.8.3" class="xref">8.8.3</a>.  <a href="#name-complex-request" class="xref">Complex Request</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.8.2.4">
                    <p id="section-toc.1-1.8.2.8.2.4.1"><a href="#section-8.8.4" class="xref">8.8.4</a>.  <a href="#name-response-with-body" class="xref">Response with Body</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.8.2.5">
                    <p id="section-toc.1-1.8.2.8.2.5.1"><a href="#section-8.8.5" class="xref">8.8.5</a>.  <a href="#name-informational-responses" class="xref">Informational Responses</a></p>
</li>
                </ul>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9">
            <p id="section-toc.1-1.9.1"><a href="#section-9" class="xref">9</a>.  <a href="#name-http-2-connections" class="xref">HTTP/2 Connections</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.1">
                <p id="section-toc.1-1.9.2.1.1"><a href="#section-9.1" class="xref">9.1</a>.  <a href="#name-connection-management" class="xref">Connection Management</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.1.2.1">
                    <p id="section-toc.1-1.9.2.1.2.1.1"><a href="#section-9.1.1" class="xref">9.1.1</a>.  <a href="#name-connection-reuse" class="xref">Connection Reuse</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.2">
                <p id="section-toc.1-1.9.2.2.1"><a href="#section-9.2" class="xref">9.2</a>.  <a href="#name-use-of-tls-features" class="xref">Use of TLS Features</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.2.2.1">
                    <p id="section-toc.1-1.9.2.2.2.1.1"><a href="#section-9.2.1" class="xref">9.2.1</a>.  <a href="#name-tls-12-features" class="xref">TLS 1.2 Features</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.2.2.2">
                    <p id="section-toc.1-1.9.2.2.2.2.1"><a href="#section-9.2.2" class="xref">9.2.2</a>.  <a href="#name-tls-12-cipher-suites" class="xref">TLS 1.2 Cipher Suites</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.2.2.3">
                    <p id="section-toc.1-1.9.2.2.2.3.1"><a href="#section-9.2.3" class="xref">9.2.3</a>.  <a href="#name-tls-13-features" class="xref">TLS 1.3 Features</a></p>
</li>
                </ul>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10">
            <p id="section-toc.1-1.10.1"><a href="#section-10" class="xref">10</a>. <a href="#name-security-considerations" class="xref">Security Considerations</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.1">
                <p id="section-toc.1-1.10.2.1.1"><a href="#section-10.1" class="xref">10.1</a>.  <a href="#name-server-authority" class="xref">Server Authority</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.2">
                <p id="section-toc.1-1.10.2.2.1"><a href="#section-10.2" class="xref">10.2</a>.  <a href="#name-cross-protocol-attacks" class="xref">Cross-Protocol Attacks</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.3">
                <p id="section-toc.1-1.10.2.3.1"><a href="#section-10.3" class="xref">10.3</a>.  <a href="#name-intermediary-encapsulation-" class="xref">Intermediary Encapsulation Attacks</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.4">
                <p id="section-toc.1-1.10.2.4.1"><a href="#section-10.4" class="xref">10.4</a>.  <a href="#name-cacheability-of-pushed-resp" class="xref">Cacheability of Pushed Responses</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.5">
                <p id="section-toc.1-1.10.2.5.1"><a href="#section-10.5" class="xref">10.5</a>.  <a href="#name-denial-of-service-considera" class="xref">Denial-of-Service Considerations</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.5.2.1">
                    <p id="section-toc.1-1.10.2.5.2.1.1"><a href="#section-10.5.1" class="xref">10.5.1</a>.  <a href="#name-limits-on-field-block-size" class="xref">Limits on Field Block Size</a></p>
</li>
                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.5.2.2">
                    <p id="section-toc.1-1.10.2.5.2.2.1"><a href="#section-10.5.2" class="xref">10.5.2</a>.  <a href="#name-connect-issues" class="xref">CONNECT Issues</a></p>
</li>
                </ul>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.6">
                <p id="section-toc.1-1.10.2.6.1"><a href="#section-10.6" class="xref">10.6</a>.  <a href="#name-use-of-compression" class="xref">Use of Compression</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.7">
                <p id="section-toc.1-1.10.2.7.1"><a href="#section-10.7" class="xref">10.7</a>.  <a href="#name-use-of-padding" class="xref">Use of Padding</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.8">
                <p id="section-toc.1-1.10.2.8.1"><a href="#section-10.8" class="xref">10.8</a>.  <a href="#name-privacy-considerations" class="xref">Privacy Considerations</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10.2.9">
                <p id="section-toc.1-1.10.2.9.1"><a href="#section-10.9" class="xref">10.9</a>.  <a href="#name-remote-timing-attacks" class="xref">Remote Timing Attacks</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11">
            <p id="section-toc.1-1.11.1"><a href="#section-11" class="xref">11</a>. <a href="#name-iana-considerations" class="xref">IANA Considerations</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11.2.1">
                <p id="section-toc.1-1.11.2.1.1"><a href="#section-11.1" class="xref">11.1</a>.  <a href="#name-http2-settings-header-field" class="xref">HTTP2-Settings Header Field Registration</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11.2.2">
                <p id="section-toc.1-1.11.2.2.1"><a href="#section-11.2" class="xref">11.2</a>.  <a href="#name-the-h2c-upgrade-token" class="xref">The h2c Upgrade Token</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12">
            <p id="section-toc.1-1.12.1"><a href="#section-12" class="xref">12</a>. <a href="#name-references" class="xref">References</a></p>
<ul class="compact toc ulBare ulEmpty">
<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12.2.1">
                <p id="section-toc.1-1.12.2.1.1"><a href="#section-12.1" class="xref">12.1</a>.  <a href="#name-normative-references" class="xref">Normative References</a></p>
</li>
              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12.2.2">
                <p id="section-toc.1-1.12.2.2.1"><a href="#section-12.2" class="xref">12.2</a>.  <a href="#name-informative-references" class="xref">Informative References</a></p>
</li>
            </ul>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.13">
            <p id="section-toc.1-1.13.1"><a href="#appendix-A" class="xref">Appendix A</a>.  <a href="#name-prohibited-tls-12-cipher-su" class="xref">Prohibited TLS 1.2 Cipher Suites</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.14">
            <p id="section-toc.1-1.14.1"><a href="#appendix-B" class="xref">Appendix B</a>.  <a href="#name-changes-from-rfc-7540" class="xref">Changes from RFC 7540</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.15">
            <p id="section-toc.1-1.15.1"><a href="#appendix-C" class="xref"></a><a href="#name-acknowledgments" class="xref">Acknowledgments</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.16">
            <p id="section-toc.1-1.16.1"><a href="#appendix-D" class="xref"></a><a href="#name-contributors" class="xref">Contributors</a></p>
</li>
          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.17">
            <p id="section-toc.1-1.17.1"><a href="#appendix-E" class="xref"></a><a href="#name-authors-addresses" class="xref">Authors' Addresses</a></p>
</li>
        </ul>
</nav>
</section>
</div>
<div id="intro">
<section id="section-1">
      <h2 id="name-introduction">
<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
      </h2>
<p id="section-1-1">The performance of applications using the Hypertext Transfer Protocol
        (HTTP, <span>[<a href="#RFC9110" class="xref">HTTP</a>]</span>) is linked to how each version of HTTP uses the underlying
        transport, and the conditions under which the transport operates.<a href="#section-1-1" class="pilcrow">¶</a></p>
<p id="section-1-2">Making multiple concurrent requests can reduce latency and improve
        application performance. HTTP/1.0 allowed only one request to be
        outstanding at a time on a given TCP <span>[<a href="#RFC0793" class="xref">TCP</a>]</span> connection. HTTP/1.1 <span>[<a href="#RFC9112" class="xref">HTTP/1.1</a>]</span>
        added request pipelining, but this only partially addressed request
        concurrency and still suffers from application-layer head-of-line
        blocking. Therefore, HTTP/1.0 and HTTP/1.1 clients use multiple connections
        to a server to make concurrent requests.<a href="#section-1-2" class="pilcrow">¶</a></p>
<p id="section-1-3">Furthermore, HTTP fields are often repetitive and verbose, causing unnecessary
        network traffic as well as causing the initial TCP congestion
        window to quickly fill. This can result in excessive latency when multiple requests are
        made on a new TCP connection.<a href="#section-1-3" class="pilcrow">¶</a></p>
<p id="section-1-4">HTTP/2 addresses these issues by defining an optimized mapping of HTTP's semantics to an
        underlying connection. Specifically, it allows interleaving of messages on the same
        connection and uses an efficient coding for HTTP fields. It also allows prioritization of
        requests, letting more important requests complete more quickly, further improving
        performance.<a href="#section-1-4" class="pilcrow">¶</a></p>
<p id="section-1-5">The resulting protocol is more friendly to the network because fewer TCP connections can
        be used in comparison to HTTP/1.x. This means less competition with other flows and
        longer-lived connections, which in turn lead to better utilization of available network
        capacity. Note, however, that TCP head-of-line blocking is not addressed by this protocol.<a href="#section-1-5" class="pilcrow">¶</a></p>
<p id="section-1-6">Finally, HTTP/2 also enables more efficient processing of messages through use of binary
        message framing.<a href="#section-1-6" class="pilcrow">¶</a></p>
<p id="section-1-7">This document obsoletes RFCs 7540 and 8740.  <a href="#revision-updates" class="xref">Appendix B</a> lists notable changes.<a href="#section-1-7" class="pilcrow">¶</a></p>
</section>
</div>
<div id="Overview">
<section id="section-2">
      <h2 id="name-http-2-protocol-overview">
<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-http-2-protocol-overview" class="section-name selfRef">HTTP/2 Protocol Overview</a>
      </h2>
<p id="section-2-1">HTTP/2 provides an optimized transport for HTTP semantics.  HTTP/2 supports all of the core
        features of HTTP but aims to be more efficient than HTTP/1.1.<a href="#section-2-1" class="pilcrow">¶</a></p>
<p id="section-2-2">HTTP/2 is a connection-oriented application-layer protocol that runs over a TCP connection
        (<span>[<a href="#RFC0793" class="xref">TCP</a>]</span>). The client is the TCP connection initiator.<a href="#section-2-2" class="pilcrow">¶</a></p>
<p id="section-2-3">The basic protocol unit in HTTP/2 is a <span><a href="#FrameHeader" class="xref">frame</a> (<a href="#FrameHeader" class="xref">Section 4.1</a>)</span>.  Each frame
        type serves a different purpose.  For example, <a href="#HEADERS" class="xref">HEADERS</a> and
        <a href="#DATA" class="xref">DATA</a> frames form the basis of <span><a href="#HttpFraming" class="xref">HTTP requests and
        responses</a> (<a href="#HttpFraming" class="xref">Section 8.1</a>)</span>; other frame types like <a href="#SETTINGS" class="xref">SETTINGS</a>,
        <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a>, and <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> are used in support of other
        HTTP/2 features.<a href="#section-2-3" class="pilcrow">¶</a></p>
<p id="section-2-4">Multiplexing of requests is achieved by having each HTTP request/response exchange
        associated with its own <span><a href="#StreamsLayer" class="xref">stream</a> (<a href="#StreamsLayer" class="xref">Section 5</a>)</span>. Streams are largely
        independent of each other, so a blocked or stalled request or response does not prevent
        progress on other streams.<a href="#section-2-4" class="pilcrow">¶</a></p>
<p id="section-2-5">Effective use of multiplexing depends on flow control and prioritization.  <span><a href="#FlowControl" class="xref">Flow control</a> (<a href="#FlowControl" class="xref">Section 5.2</a>)</span> ensures that it is possible to efficiently use
        multiplexed streams by restricting data that is transmitted to what the receiver is able to
        handle.  <span><a href="#StreamPriority" class="xref">Prioritization</a> (<a href="#StreamPriority" class="xref">Section 5.3</a>)</span> ensures that limited resources
        are used most effectively.  This revision of HTTP/2 deprecates the priority signaling scheme
        from <span>[<a href="#RFC7540" class="xref">RFC7540</a>]</span>.<a href="#section-2-5" class="pilcrow">¶</a></p>
<p id="section-2-6">Because HTTP fields used in a connection can contain large amounts of redundant
        data, frames that contain them are <span><a href="#FieldBlock" class="xref">compressed</a> (<a href="#FieldBlock" class="xref">Section 4.3</a>)</span>. This has
        especially advantageous impact upon request sizes in the common case, allowing many
        requests to be compressed into one packet.<a href="#section-2-6" class="pilcrow">¶</a></p>
<p id="section-2-7">Finally, HTTP/2 adds a new, optional interaction mode whereby a server can <span><a href="#PushResources" class="xref">push
        responses to a client</a> (<a href="#PushResources" class="xref">Section 8.4</a>)</span>.  This is intended to allow a server to speculatively send data to a
        client that the server anticipates the client will need, trading off some network usage
        against a potential latency gain.  The server does this by synthesizing a request, which it
        sends as a <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame.  The server is then able to send a response to
        the synthetic request on a separate stream.<a href="#section-2-7" class="pilcrow">¶</a></p>
<section id="section-2.1">
        <h3 id="name-document-organization">
<a href="#section-2.1" class="section-number selfRef">2.1. </a><a href="#name-document-organization" class="section-name selfRef">Document Organization</a>
        </h3>
<p id="section-2.1-1">The HTTP/2 specification is split into four parts:<a href="#section-2.1-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-2.1-2.1">
            <span><a href="#starting" class="xref">Starting HTTP/2</a> (<a href="#starting" class="xref">Section 3</a>)</span> covers how an HTTP/2 connection is
              initiated.<a href="#section-2.1-2.1" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-2.1-2.2">The <span><a href="#FramingLayer" class="xref">frame</a> (<a href="#FramingLayer" class="xref">Section 4</a>)</span> and <span><a href="#StreamsLayer" class="xref">stream</a> (<a href="#StreamsLayer" class="xref">Section 5</a>)</span> layers describe the way HTTP/2 frames are
              structured and formed into multiplexed streams.<a href="#section-2.1-2.2" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-2.1-2.3">
            <span><a href="#FrameTypes" class="xref">Frame</a> (<a href="#FrameTypes" class="xref">Section 6</a>)</span> and <span><a href="#ErrorCodes" class="xref">error</a> (<a href="#ErrorCodes" class="xref">Section 7</a>)</span>
              definitions include details of the frame and error types used in HTTP/2.<a href="#section-2.1-2.3" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-2.1-2.4">
            <span><a href="#HttpLayer" class="xref">HTTP mappings</a> (<a href="#HttpLayer" class="xref">Section 8</a>)</span> and <span><a href="#HttpExtra" class="xref">additional
              requirements</a> (<a href="#HttpExtra" class="xref">Section 9</a>)</span> describe how HTTP semantics are expressed using frames and
              streams.<a href="#section-2.1-2.4" class="pilcrow">¶</a>
</li>
        </ul>
<p id="section-2.1-3">While some of the frame- and stream-layer concepts are isolated from HTTP, this
          specification does not define a completely generic frame layer. The frame and stream
          layers are tailored to the needs of HTTP.<a href="#section-2.1-3" class="pilcrow">¶</a></p>
</section>
<section id="section-2.2">
        <h3 id="name-conventions-and-terminology">
<a href="#section-2.2" class="section-number selfRef">2.2. </a><a href="#name-conventions-and-terminology" class="section-name selfRef">Conventions and Terminology</a>
        </h3>
<p id="section-2.2-1">The key words "<span class="bcp14">MUST</span>", "<span class="bcp14">MUST NOT</span>",
        "<span class="bcp14">REQUIRED</span>", "<span class="bcp14">SHALL</span>", "<span class="bcp14">SHALL NOT</span>",
        "<span class="bcp14">SHOULD</span>", "<span class="bcp14">SHOULD NOT</span>", "<span class="bcp14">RECOMMENDED</span>",
        "<span class="bcp14">NOT RECOMMENDED</span>", "<span class="bcp14">MAY</span>", and "<span class="bcp14">OPTIONAL</span>" in
        this document are to be interpreted as described in BCP 14 <span>[<a href="#RFC2119" class="xref">RFC2119</a>]</span> <span>[<a href="#RFC8174" class="xref">RFC8174</a>]</span> when, and only when, they
        appear in all capitals, as shown here.<a href="#section-2.2-1" class="pilcrow">¶</a></p>
<p id="section-2.2-2">All numeric values are in network byte order.  Values are unsigned unless otherwise
          indicated.  Literal values are provided in decimal or hexadecimal as appropriate.
          Hexadecimal literals are prefixed with "<code>0x</code>" to distinguish them
          from decimal literals.<a href="#section-2.2-2" class="pilcrow">¶</a></p>
<p id="section-2.2-3">This specification describes binary formats using the conventions described in <span><a href="https://www.rfc-editor.org/rfc/rfc9000#section-1.3" class="relref">Section 1.3</a> of RFC 9000 [<a href="#RFC9000" class="xref">QUIC</a>]</span>.  Note that this format uses network byte
          order and that high-valued bits are listed before low-valued bits.<a href="#section-2.2-3" class="pilcrow">¶</a></p>
<p id="section-2.2-4">The following terms are used:<a href="#section-2.2-4" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-2.2-5">
          <dt id="section-2.2-5.1">client:</dt>
          <dd style="margin-left: 1.5em" id="section-2.2-5.2">The endpoint that initiates an HTTP/2 connection.  Clients send HTTP requests and
              receive HTTP responses.<a href="#section-2.2-5.2" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-2.2-5.3">connection:</dt>
          <dd style="margin-left: 1.5em" id="section-2.2-5.4">A transport-layer connection between two endpoints.<a href="#section-2.2-5.4" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-2.2-5.5">connection error:</dt>
          <dd style="margin-left: 1.5em" id="section-2.2-5.6">An error that affects the entire HTTP/2 connection.<a href="#section-2.2-5.6" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-2.2-5.7">endpoint:</dt>
          <dd style="margin-left: 1.5em" id="section-2.2-5.8">Either the client or server of the connection.<a href="#section-2.2-5.8" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-2.2-5.9">frame:</dt>
          <dd style="margin-left: 1.5em" id="section-2.2-5.10">The smallest unit of communication within an HTTP/2 connection, consisting of a header
              and a variable-length sequence of octets structured according to the frame type.<a href="#section-2.2-5.10" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-2.2-5.11">peer:</dt>
          <dd style="margin-left: 1.5em" id="section-2.2-5.12">An endpoint.  When discussing a particular endpoint, "peer" refers to the endpoint
              that is remote to the primary subject of discussion.<a href="#section-2.2-5.12" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-2.2-5.13">receiver:</dt>
          <dd style="margin-left: 1.5em" id="section-2.2-5.14">An endpoint that is receiving frames.<a href="#section-2.2-5.14" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-2.2-5.15">sender:</dt>
          <dd style="margin-left: 1.5em" id="section-2.2-5.16">An endpoint that is transmitting frames.<a href="#section-2.2-5.16" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-2.2-5.17">server:</dt>
          <dd style="margin-left: 1.5em" id="section-2.2-5.18">The endpoint that accepts an HTTP/2 connection.  Servers receive HTTP requests and
              send HTTP responses.<a href="#section-2.2-5.18" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-2.2-5.19">stream:</dt>
          <dd style="margin-left: 1.5em" id="section-2.2-5.20">A bidirectional flow of frames within the HTTP/2 connection.<a href="#section-2.2-5.20" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-2.2-5.21">stream error:</dt>
          <dd style="margin-left: 1.5em" id="section-2.2-5.22">An error on the individual HTTP/2 stream.<a href="#section-2.2-5.22" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
</dl>
<p id="section-2.2-6">Finally, the terms "gateway", "intermediary", "proxy", and "tunnel" are defined in
          <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-3.7" class="relref">Section 3.7</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>.  Intermediaries act as both client
          and server at different times.<a href="#section-2.2-6" class="pilcrow">¶</a></p>
<p id="section-2.2-7">The term "content" as it applies to message bodies is defined in <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-6.4" class="relref">Section 6.4</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>.<a href="#section-2.2-7" class="pilcrow">¶</a></p>
</section>
</section>
</div>
<div id="starting">
<section id="section-3">
      <h2 id="name-starting-http-2">
<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-starting-http-2" class="section-name selfRef">Starting HTTP/2</a>
      </h2>
<p id="section-3-1">Implementations that generate HTTP requests need to discover whether a server supports
        HTTP/2.<a href="#section-3-1" class="pilcrow">¶</a></p>
<p id="section-3-2">HTTP/2 uses the "<code>http</code>" and "<code>https</code>" URI schemes defined in <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-4.2" class="relref">Section 4.2</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>, with the same default port numbers as HTTP/1.1 <span>[<a href="#RFC9112" class="xref">HTTP/1.1</a>]</span>. These URIs do not include any indication about what HTTP versions an
        upstream server (the immediate peer to which the client wishes to establish a connection)
        supports.<a href="#section-3-2" class="pilcrow">¶</a></p>
<p id="section-3-3">The means by which support for HTTP/2 is determined is different for "<code>http</code>" and "<code>https</code>"
        URIs.  Discovery for "<code>https</code>" URIs is described in <a href="#discover-https" class="xref">Section 3.2</a>. HTTP/2
        support for "<code>http</code>" URIs can only be discovered by out-of-band means and requires prior knowledge
        of the support as described in <a href="#known-http" class="xref">Section 3.3</a>.<a href="#section-3-3" class="pilcrow">¶</a></p>
<div id="versioning">
<section id="section-3.1">
        <h3 id="name-http-2-version-identificati">
<a href="#section-3.1" class="section-number selfRef">3.1. </a><a href="#name-http-2-version-identificati" class="section-name selfRef">HTTP/2 Version Identification</a>
        </h3>
<p id="section-3.1-1">The protocol defined in this document has two identifiers. Creating a connection based on
          either implies the use of the transport, framing, and message semantics described in this
          document.<a href="#section-3.1-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-3.1-2.1">
            <p id="section-3.1-2.1.1">The string "h2" identifies the protocol where HTTP/2 uses Transport Layer Security
                (TLS); see <a href="#TLSUsage" class="xref">Section 9.2</a>.  This identifier is used in the <span><a href="#RFC7301" class="xref">TLS Application-Layer Protocol Negotiation (ALPN) extension</a> [<a href="#RFC7301" class="xref">TLS-ALPN</a>]</span>
                field and in any place where HTTP/2 over TLS is identified.<a href="#section-3.1-2.1.1" class="pilcrow">¶</a></p>
<p id="section-3.1-2.1.2">The "h2" string is serialized into an ALPN protocol identifier as the two-octet
                sequence: 0x68, 0x32.<a href="#section-3.1-2.1.2" class="pilcrow">¶</a></p>
</li>
          <li class="normal" id="section-3.1-2.2">
            <p id="section-3.1-2.2.1">The "h2c" string was previously used as a token for use in the HTTP Upgrade
                mechanism's Upgrade header field (<span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-7.8" class="relref">Section 7.8</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>). This usage
                was never widely deployed and is deprecated by this document. The same applies to the
                HTTP2-Settings header field, which was used with the upgrade to "h2c".<a href="#section-3.1-2.2.1" class="pilcrow">¶</a></p>
</li>
        </ul>
</section>
</div>
<div id="discover-https">
<section id="section-3.2">
        <h3 id="name-starting-http-2-for-https-u">
<a href="#section-3.2" class="section-number selfRef">3.2. </a><a href="#name-starting-http-2-for-https-u" class="section-name selfRef">Starting HTTP/2 for "<code>https</code>" URIs</a>
        </h3>
<p id="section-3.2-1">A client that makes a request to an "<code>https</code>" URI uses <span><a href="#RFC8446" class="xref">TLS</a> [<a href="#RFC8446" class="xref">TLS13</a>]</span> with
          the <span><a href="#RFC7301" class="xref">ALPN extension</a> [<a href="#RFC7301" class="xref">TLS-ALPN</a>]</span>.<a href="#section-3.2-1" class="pilcrow">¶</a></p>
<p id="section-3.2-2">HTTP/2 over TLS uses the "h2" protocol identifier.  The "h2c" protocol identifier <span class="bcp14">MUST NOT</span>
          be sent by a client or selected by a server; the "h2c" protocol identifier describes a
          protocol that does not use TLS.<a href="#section-3.2-2" class="pilcrow">¶</a></p>
<p id="section-3.2-3">Once TLS negotiation is complete, both the client and the server <span class="bcp14">MUST</span> send a <span><a href="#preface" class="xref">connection preface</a> (<a href="#preface" class="xref">Section 3.4</a>)</span>.<a href="#section-3.2-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="known-http">
<section id="section-3.3">
        <h3 id="name-starting-http-2-with-prior-">
<a href="#section-3.3" class="section-number selfRef">3.3. </a><a href="#name-starting-http-2-with-prior-" class="section-name selfRef">Starting HTTP/2 with Prior Knowledge</a>
        </h3>
<p id="section-3.3-1">A client can learn that a particular server supports HTTP/2 by other means.  For example,
          a client could be configured with knowledge that a server supports HTTP/2.<a href="#section-3.3-1" class="pilcrow">¶</a></p>
<p id="section-3.3-2">A client that knows that a server supports HTTP/2 can establish a TCP connection and send
          the <span><a href="#preface" class="xref">connection preface</a> (<a href="#preface" class="xref">Section 3.4</a>)</span> followed by HTTP/2 frames.
          Servers can identify these connections by the presence of the connection preface. This
          only affects the establishment of HTTP/2 connections over cleartext TCP; HTTP/2 connections
          over TLS <span class="bcp14">MUST</span> use <span><a href="#RFC7301" class="xref">protocol negotiation in
          TLS</a> [<a href="#RFC7301" class="xref">TLS-ALPN</a>]</span>.<a href="#section-3.3-2" class="pilcrow">¶</a></p>
<p id="section-3.3-3">Likewise, the server <span class="bcp14">MUST</span> send a <span><a href="#preface" class="xref">connection preface</a> (<a href="#preface" class="xref">Section 3.4</a>)</span>.<a href="#section-3.3-3" class="pilcrow">¶</a></p>
<p id="section-3.3-4">Without additional information, prior support for HTTP/2 is not a strong signal that a
          given server will support HTTP/2 for future connections. For example, it is possible for
          server configurations to change, for configurations to differ between instances in
          clustered servers, or for network conditions to change.<a href="#section-3.3-4" class="pilcrow">¶</a></p>
</section>
</div>
<div id="preface">
<section id="section-3.4">
        <h3 id="name-http-2-connection-preface">
<a href="#section-3.4" class="section-number selfRef">3.4. </a><a href="#name-http-2-connection-preface" class="section-name selfRef">HTTP/2 Connection Preface</a>
        </h3>
<p id="section-3.4-1">In HTTP/2, each endpoint is required to send a connection preface as a final confirmation
          of the protocol in use and to establish the initial settings for the HTTP/2 connection.
          The client and server each send a different connection preface.<a href="#section-3.4-1" class="pilcrow">¶</a></p>
<p id="section-3.4-2">The client connection preface starts with a sequence of 24 octets, which in hex notation
          is:<a href="#section-3.4-2" class="pilcrow">¶</a></p>
<div class="alignLeft art-inline art-text artwork" id="section-3.4-3">
<pre>
  0x505249202a20485454502f322e300d0a0d0a534d0d0a0d0a
</pre><a href="#section-3.4-3" class="pilcrow">¶</a>
</div>
<p id="section-3.4-4">That is, the connection preface starts with the string "<code>PRI *
          HTTP/2.0\r\n\r\nSM\r\n\r\n</code>". This sequence
          <span class="bcp14">MUST</span> be followed by a <a href="#SETTINGS" class="xref">SETTINGS</a> frame (<a href="#SETTINGS" class="xref">Section 6.5</a>), which
          <span class="bcp14">MAY</span> be empty. The client sends the client connection preface as the first
          application data octets of a connection.<a href="#section-3.4-4" class="pilcrow">¶</a></p>
<aside id="section-3.4-5">
          <p id="section-3.4-5.1">Note:
            The client connection preface is selected so that a large proportion of HTTP/1.1 or
            HTTP/1.0 servers and intermediaries do not attempt to process further frames.  Note
            that this does not address the concerns raised in <span>[<a href="#TALKING" class="xref">TALKING</a>]</span>.<a href="#section-3.4-5.1" class="pilcrow">¶</a></p>
</aside>
<p id="section-3.4-6">The server connection preface consists of a potentially empty <a href="#SETTINGS" class="xref">SETTINGS</a>
          frame (<a href="#SETTINGS" class="xref">Section 6.5</a>) that <span class="bcp14">MUST</span> be the first frame the server sends in the
          HTTP/2 connection.<a href="#section-3.4-6" class="pilcrow">¶</a></p>
<p id="section-3.4-7">The <a href="#SETTINGS" class="xref">SETTINGS</a> frames received from a peer as part of the connection preface
          <span class="bcp14">MUST</span> be acknowledged (see <a href="#SettingsSync" class="xref">Section 6.5.3</a>) after sending the connection
          preface.<a href="#section-3.4-7" class="pilcrow">¶</a></p>
<p id="section-3.4-8">To avoid unnecessary latency, clients are permitted to send additional frames to the
          server immediately after sending the client connection preface, without waiting to receive
          the server connection preface.  It is important to note, however, that the server
          connection preface <a href="#SETTINGS" class="xref">SETTINGS</a> frame might include settings that necessarily
          alter how a client is expected to communicate with the server. Upon receiving the
          <a href="#SETTINGS" class="xref">SETTINGS</a> frame, the client is expected to honor any settings established.
          In some configurations, it is possible for the server to transmit <a href="#SETTINGS" class="xref">SETTINGS</a>
          before the client sends additional frames, providing an opportunity to avoid this issue.<a href="#section-3.4-8" class="pilcrow">¶</a></p>
<p id="section-3.4-9">Clients and servers <span class="bcp14">MUST</span> treat an invalid connection preface as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.  A <a href="#GOAWAY" class="xref">GOAWAY</a> frame (<a href="#GOAWAY" class="xref">Section 6.8</a>)
          <span class="bcp14">MAY</span> be omitted in this case, since an invalid preface indicates that the peer is not using
          HTTP/2.<a href="#section-3.4-9" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="FramingLayer">
<section id="section-4">
      <h2 id="name-http-frames">
<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-http-frames" class="section-name selfRef">HTTP Frames</a>
      </h2>
<p id="section-4-1">Once the HTTP/2 connection is established, endpoints can begin exchanging frames.<a href="#section-4-1" class="pilcrow">¶</a></p>
<div id="FrameHeader">
<section id="section-4.1">
        <h3 id="name-frame-format">
<a href="#section-4.1" class="section-number selfRef">4.1. </a><a href="#name-frame-format" class="section-name selfRef">Frame Format</a>
        </h3>
<p id="section-4.1-1">All frames begin with a fixed 9-octet header followed by a variable-length frame payload.<a href="#section-4.1-1" class="pilcrow">¶</a></p>
<span id="name-frame-layout"></span><div id="FrameLayout">
<figure id="figure-1">
          <div class="alignLeft art-inline art-text artwork" id="section-4.1-2.1">
<pre>
HTTP Frame {
  Length (24),
  Type (8),

  Flags (8),

  Reserved (1),
  Stream Identifier (31),

  Frame Payload (..),
}
</pre>
</div>
<figcaption><a href="#figure-1" class="selfRef">Figure 1</a>:
<a href="#name-frame-layout" class="selfRef">Frame Layout</a>
          </figcaption></figure>
</div>
<p id="section-4.1-3">The fields of the frame header are defined as:<a href="#section-4.1-3" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-4.1-4">
          <dt id="section-4.1-4.1">Length:</dt>
          <dd style="margin-left: 1.5em" id="section-4.1-4.2">
            <p id="section-4.1-4.2.1">The length of the frame payload expressed as an unsigned 24-bit integer in units of octets.  Values
                greater than 2<sup>14</sup> (16,384) <span class="bcp14">MUST NOT</span> be sent unless the receiver has
                set a larger value for <a href="#SETTINGS_MAX_FRAME_SIZE" class="xref">SETTINGS_MAX_FRAME_SIZE</a>.<a href="#section-4.1-4.2.1" class="pilcrow">¶</a></p>
<p id="section-4.1-4.2.2">The 9 octets of the frame header are not included in this value.<a href="#section-4.1-4.2.2" class="pilcrow">¶</a></p>
</dd>
          <dd class="break"></dd>
<dt id="section-4.1-4.3">Type:</dt>
          <dd style="margin-left: 1.5em" id="section-4.1-4.4">
            <p id="section-4.1-4.4.1">The 8-bit type of the frame.  The frame type determines the format and semantics of
                the frame.  Frames defined in this document are listed in <a href="#FrameTypes" class="xref">Section 6</a>.
                Implementations <span class="bcp14">MUST</span> ignore and discard frames of unknown types.<a href="#section-4.1-4.4.1" class="pilcrow">¶</a></p>
</dd>
          <dd class="break"></dd>
<dt id="section-4.1-4.5">Flags:</dt>
          <dd style="margin-left: 1.5em" id="section-4.1-4.6">
            <p id="section-4.1-4.6.1">An 8-bit field reserved for boolean flags specific to the frame type.<a href="#section-4.1-4.6.1" class="pilcrow">¶</a></p>
<p id="section-4.1-4.6.2">Flags are assigned semantics specific to the indicated frame type.  Unused flags are
              those that have no defined semantics for a particular frame type. Unused flags <span class="bcp14">MUST</span> be
              ignored on receipt and <span class="bcp14">MUST</span> be left unset (0x00) when sending.<a href="#section-4.1-4.6.2" class="pilcrow">¶</a></p>
</dd>
          <dd class="break"></dd>
<dt id="section-4.1-4.7">Reserved:</dt>
          <dd style="margin-left: 1.5em" id="section-4.1-4.8">
            <p id="section-4.1-4.8.1">A reserved 1-bit field.  The semantics of this bit are undefined, and the bit <span class="bcp14">MUST</span>
                remain unset (0x00) when sending and <span class="bcp14">MUST</span> be ignored when receiving.<a href="#section-4.1-4.8.1" class="pilcrow">¶</a></p>
</dd>
          <dd class="break"></dd>
<dt id="section-4.1-4.9">Stream Identifier:</dt>
          <dd style="margin-left: 1.5em" id="section-4.1-4.10">
            <p id="section-4.1-4.10.1">A stream identifier (see <a href="#StreamIdentifiers" class="xref">Section 5.1.1</a>) expressed as an
                unsigned 31-bit integer.  The value 0x00 is reserved for frames that are associated
                with the connection as a whole as opposed to an individual stream.<a href="#section-4.1-4.10.1" class="pilcrow">¶</a></p>
</dd>
        <dd class="break"></dd>
</dl>
<p id="section-4.1-5">The structure and content of the frame payload are dependent entirely on the frame type.<a href="#section-4.1-5" class="pilcrow">¶</a></p>
</section>
</div>
<div id="FrameSize">
<section id="section-4.2">
        <h3 id="name-frame-size">
<a href="#section-4.2" class="section-number selfRef">4.2. </a><a href="#name-frame-size" class="section-name selfRef">Frame Size</a>
        </h3>
<p id="section-4.2-1">The size of a frame payload is limited by the maximum size that a receiver advertises in
          the <a href="#SETTINGS_MAX_FRAME_SIZE" class="xref">SETTINGS_MAX_FRAME_SIZE</a> setting.  This setting can have any value
          between 2<sup>14</sup> (16,384) and 2<sup>24</sup>-1 (16,777,215) octets,
          inclusive.<a href="#section-4.2-1" class="pilcrow">¶</a></p>
<p id="section-4.2-2">All implementations <span class="bcp14">MUST</span> be capable of receiving and minimally processing frames up to
          2<sup>14</sup> octets in length, plus the 9-octet <span><a href="#FrameHeader" class="xref">frame
          header</a> (<a href="#FrameHeader" class="xref">Section 4.1</a>)</span>.  The size of the frame header is not included when describing frame sizes.<a href="#section-4.2-2" class="pilcrow">¶</a></p>
<aside id="section-4.2-3">
          <p id="section-4.2-3.1">Note: Certain frame types, such as <span><a href="#PING" class="xref">PING</a> (<a href="#PING" class="xref">Section 6.7</a>)</span>, impose additional limits
            on the amount of frame payload data allowed.<a href="#section-4.2-3.1" class="pilcrow">¶</a></p>
</aside>
<p id="section-4.2-4">An endpoint <span class="bcp14">MUST</span> send an error code of <a href="#FRAME_SIZE_ERROR" class="xref">FRAME_SIZE_ERROR</a> if a frame exceeds the size defined in <a href="#SETTINGS_MAX_FRAME_SIZE" class="xref">SETTINGS_MAX_FRAME_SIZE</a>, exceeds any
          limit defined for the frame type, or is too small to contain mandatory frame data. A frame
          size error in a frame that could alter the state of the entire connection <span class="bcp14">MUST</span> be treated
          as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span>; this includes any
          frame carrying a <span><a href="#FieldBlock" class="xref">field block</a> (<a href="#FieldBlock" class="xref">Section 4.3</a>)</span> (that is, <a href="#HEADERS" class="xref">HEADERS</a>, <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a>, and <a href="#CONTINUATION" class="xref">CONTINUATION</a>), a <a href="#SETTINGS" class="xref">SETTINGS</a> frame, and any frame with a stream identifier of 0.<a href="#section-4.2-4" class="pilcrow">¶</a></p>
<p id="section-4.2-5">Endpoints are not obligated to use all available space in a frame. Responsiveness can be
          improved by using frames that are smaller than the permitted maximum size. Sending large
          frames can result in delays in sending time-sensitive frames (such as
          <a href="#RST_STREAM" class="xref">RST_STREAM</a>, <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a>, or <a href="#PRIORITY" class="xref">PRIORITY</a>),
          which, if blocked by the transmission of a large frame, could affect performance.<a href="#section-4.2-5" class="pilcrow">¶</a></p>
</section>
</div>
<div id="FieldBlock">
<section id="section-4.3">
        <h3 id="name-field-section-compression-a">
<a href="#section-4.3" class="section-number selfRef">4.3. </a><a href="#name-field-section-compression-a" class="section-name selfRef">Field Section Compression and Decompression</a>
        </h3>
<p id="section-4.3-1">Field section compression is the process of compressing a set of field lines (<span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-5.2" class="relref">Section 5.2</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>) to form a
          field block.  Field section decompression is the process of decoding a field block into a
          set of field lines.  Details of HTTP/2 field section compression and decompression are
          defined in <span>[<a href="#RFC7541" class="xref">COMPRESSION</a>]</span>, which, for historical reasons, refers to these
          processes as header compression and decompression.<a href="#section-4.3-1" class="pilcrow">¶</a></p>
<p id="section-4.3-2">Each field block carries all of the compressed field lines of a single field section.
          Header sections also include control data associated with the message in the form of <span><a href="#PseudoHeaderFields" class="xref">pseudo-header fields</a> (<a href="#PseudoHeaderFields" class="xref">Section 8.3</a>)</span> that use the same format as a
          field line.<a href="#section-4.3-2" class="pilcrow">¶</a></p>
<aside id="section-4.3-3">
          <p id="section-4.3-3.1">Note: <span><a href="#RFC7540" class="xref">RFC 7540</a> [<a href="#RFC7540" class="xref">RFC7540</a>]</span> used the term "header block" in place of
            the more generic "field block".<a href="#section-4.3-3.1" class="pilcrow">¶</a></p>
</aside>
<p id="section-4.3-4">Field blocks carry control data and header sections for requests, responses, promised
          requests, and pushed responses (see <a href="#PushResources" class="xref">Section 8.4</a>).  All these messages,
          except for interim responses and requests contained in <span><a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> (<a href="#PUSH_PROMISE" class="xref">Section 6.6</a>)</span> frames, can optionally include a field block that
          carries a trailer section.<a href="#section-4.3-4" class="pilcrow">¶</a></p>
<p id="section-4.3-5">A field section is a collection of field lines.  Each of the field lines in a
          field block carries a single value.  The serialized field block is then divided into one or
          more octet sequences, called field block fragments.  The first field block fragment is transmitted within the frame
          payload of <span><a href="#HEADERS" class="xref">HEADERS</a> (<a href="#HEADERS" class="xref">Section 6.2</a>)</span> or <span><a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> (<a href="#PUSH_PROMISE" class="xref">Section 6.6</a>)</span>, each of which could be followed by <span><a href="#CONTINUATION" class="xref">CONTINUATION</a> (<a href="#CONTINUATION" class="xref">Section 6.10</a>)</span> frames to carry subsequent field block fragments.<a href="#section-4.3-5" class="pilcrow">¶</a></p>
<p id="section-4.3-6">The <span><a href="#RFC6265" class="xref">Cookie header field</a> [<a href="#RFC6265" class="xref">COOKIE</a>]</span> is treated specially by the HTTP
          mapping (see <a href="#CompressCookie" class="xref">Section 8.2.3</a>).<a href="#section-4.3-6" class="pilcrow">¶</a></p>
<p id="section-4.3-7">A receiving endpoint reassembles the field block by concatenating its fragments and then
          decompresses the block to reconstruct the field section.<a href="#section-4.3-7" class="pilcrow">¶</a></p>
<p id="section-4.3-8">A complete field section consists of either:<a href="#section-4.3-8" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-4.3-9.1">a single <a href="#HEADERS" class="xref">HEADERS</a> or <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame,
              with the END_HEADERS flag set, or<a href="#section-4.3-9.1" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-4.3-9.2">a <a href="#HEADERS" class="xref">HEADERS</a> or <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame with the END_HEADERS
              flag unset and one or more <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames,
              where the last <a href="#CONTINUATION" class="xref">CONTINUATION</a> frame has the END_HEADERS flag set.<a href="#section-4.3-9.2" class="pilcrow">¶</a>
</li>
        </ul>
<p id="section-4.3-10">Each field block is processed as a discrete unit.
          Field blocks <span class="bcp14">MUST</span> be transmitted as a contiguous sequence of frames, with no interleaved
          frames of any other type or from any other stream.  The last frame in a sequence of
          <a href="#HEADERS" class="xref">HEADERS</a> or <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames has the END_HEADERS flag set.
          The last frame in a sequence of <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> or <a href="#CONTINUATION" class="xref">CONTINUATION</a>
          frames has the END_HEADERS flag set.  This allows a field block to be logically
          equivalent to a single frame.<a href="#section-4.3-10" class="pilcrow">¶</a></p>
<p id="section-4.3-11">Field block fragments can only be sent as the frame payload of <a href="#HEADERS" class="xref">HEADERS</a>,
          <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a>, or <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames because these frames
          carry data that can modify the compression context maintained by a receiver.  An endpoint
          receiving <a href="#HEADERS" class="xref">HEADERS</a>, <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a>, or
          <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames needs to reassemble field blocks and perform
          decompression even if the frames are to be discarded.  A receiver <span class="bcp14">MUST</span> terminate the
          connection with a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#COMPRESSION_ERROR" class="xref">COMPRESSION_ERROR</a> if it does not decompress a field block.<a href="#section-4.3-11" class="pilcrow">¶</a></p>
<p id="section-4.3-12">A decoding error in a field block <span class="bcp14">MUST</span> be treated as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type <a href="#COMPRESSION_ERROR" class="xref">COMPRESSION_ERROR</a>.<a href="#section-4.3-12" class="pilcrow">¶</a></p>
<div id="dynamic-table">
<section id="section-4.3.1">
          <h4 id="name-compression-state">
<a href="#section-4.3.1" class="section-number selfRef">4.3.1. </a><a href="#name-compression-state" class="section-name selfRef">Compression State</a>
          </h4>
<p id="section-4.3.1-1">Field compression is stateful.  Each endpoint has an HPACK encoder context and an HPACK
            decoder context that are used for encoding and decoding all field blocks on a
            connection.  <span><a href="https://www.rfc-editor.org/rfc/rfc7541#section-4" class="relref">Section 4</a> of [<a href="#RFC7541" class="xref">COMPRESSION</a>]</span> defines the dynamic table, which
            is the primary state for each context.<a href="#section-4.3.1-1" class="pilcrow">¶</a></p>
<p id="section-4.3.1-2">The dynamic table has a maximum size that is set by an HPACK decoder. An endpoint
            communicates the size chosen by its HPACK decoder context using the
            SETTINGS_HEADER_TABLE_SIZE setting; see <a href="#SettingValues" class="xref">Section 6.5.2</a>.  When a
            connection is established, the dynamic table size for the HPACK decoder and encoder at
            both endpoints starts at 4,096 bytes, the initial value of the
            SETTINGS_HEADER_TABLE_SIZE setting.<a href="#section-4.3.1-2" class="pilcrow">¶</a></p>
<p id="section-4.3.1-3">Any change to the maximum value set using SETTINGS_HEADER_TABLE_SIZE takes effect when
            the endpoint <span><a href="#SettingsSync" class="xref">acknowledges settings</a> (<a href="#SettingsSync" class="xref">Section 6.5.3</a>)</span>.  The HPACK
            encoder at that endpoint can set the dynamic table to any size up to the maximum value
            set by the decoder.  An HPACK encoder declares the size of the dynamic table with a
            Dynamic Table Size Update instruction (<span><a href="https://www.rfc-editor.org/rfc/rfc7541#section-6.3" class="relref">Section 6.3</a> of [<a href="#RFC7541" class="xref">COMPRESSION</a>]</span>).<a href="#section-4.3.1-3" class="pilcrow">¶</a></p>
<p id="section-4.3.1-4">Once an endpoint acknowledges a change to SETTINGS_HEADER_TABLE_SIZE that reduces the
            maximum below the current size of the dynamic table, its HPACK encoder <span class="bcp14">MUST</span> start the
            next field block with a Dynamic Table Size Update instruction that sets the dynamic
            table to a size that is less than or equal to the reduced maximum; see <span><a href="https://www.rfc-editor.org/rfc/rfc7541#section-4.2" class="relref">Section 4.2</a> of [<a href="#RFC7541" class="xref">COMPRESSION</a>]</span>.  An endpoint <span class="bcp14">MUST</span> treat a field block that follows
            an acknowledgment of the reduction to the maximum dynamic table size as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type <a href="#COMPRESSION_ERROR" class="xref">COMPRESSION_ERROR</a> if it does not start
            with a conformant Dynamic Table Size Update instruction.<a href="#section-4.3.1-4" class="pilcrow">¶</a></p>
<aside id="section-4.3.1-5">
            <p id="section-4.3.1-5.1">Implementers are advised that reducing the value of SETTINGS_HEADER_TABLE_SIZE is not
              widely interoperable.  Use of the connection preface to reduce the value below the
              initial value of 4,096 is somewhat better supported, but this might fail with some
              implementations.<a href="#section-4.3.1-5.1" class="pilcrow">¶</a></p>
</aside>
</section>
</div>
</section>
</div>
</section>
</div>
<div id="StreamsLayer">
<section id="section-5">
      <h2 id="name-streams-and-multiplexing">
<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-streams-and-multiplexing" class="section-name selfRef">Streams and Multiplexing</a>
      </h2>
<p id="section-5-1">A "stream" is an independent, bidirectional sequence of frames exchanged between the client
        and server within an HTTP/2 connection.  Streams have several important characteristics:<a href="#section-5-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-5-2.1">A single HTTP/2 connection can contain multiple concurrently open streams, with either
            endpoint interleaving frames from multiple streams.<a href="#section-5-2.1" class="pilcrow">¶</a>
</li>
        <li class="normal" id="section-5-2.2">Streams can be established and used unilaterally or shared by either endpoint.<a href="#section-5-2.2" class="pilcrow">¶</a>
</li>
        <li class="normal" id="section-5-2.3">Streams can be closed by either endpoint.<a href="#section-5-2.3" class="pilcrow">¶</a>
</li>
        <li class="normal" id="section-5-2.4">The order in which frames are sent is significant. Recipients process frames
            in the order they are received.  In particular, the order of <a href="#HEADERS" class="xref">HEADERS</a>
            and <a href="#DATA" class="xref">DATA</a> frames is semantically significant.<a href="#section-5-2.4" class="pilcrow">¶</a>
</li>
        <li class="normal" id="section-5-2.5">Streams are identified by an integer.  Stream identifiers are assigned to streams by the
            endpoint initiating the stream.<a href="#section-5-2.5" class="pilcrow">¶</a>
</li>
      </ul>
<div id="StreamStates">
<section id="section-5.1">
        <h3 id="name-stream-states">
<a href="#section-5.1" class="section-number selfRef">5.1. </a><a href="#name-stream-states" class="section-name selfRef">Stream States</a>
        </h3>
<p id="section-5.1-1">The lifecycle of a stream is shown in <a href="#StreamStatesFigure" class="xref">Figure 2</a>.<a href="#section-5.1-1" class="pilcrow">¶</a></p>
<span id="name-stream-states-2"></span><div id="StreamStatesFigure">
<figure id="figure-2">
          <div id="section-5.1-2.1">
            <div class="alignLeft art-svg artwork" id="section-5.1-2.1.1">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="480" width="488" viewBox="0 0 488 480" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px">
                <g transform="translate(8,16)">
                  <path d="M 0,112 L 0,416" fill="none" stroke="black"></path>
                  <path d="M 56,80 L 56,144" fill="none" stroke="black"></path>
                  <path d="M 56,240 L 56,304" fill="none" stroke="black"></path>
                  <path d="M 88,144 L 88,232" fill="none" stroke="black"></path>
                  <path d="M 96,304 L 96,384" fill="none" stroke="black"></path>
                  <path d="M 144,80 L 144,144" fill="none" stroke="black"></path>
                  <path d="M 144,240 L 144,304" fill="none" stroke="black"></path>
                  <path d="M 200,0 L 200,64" fill="none" stroke="black"></path>
                  <path d="M 200,160 L 200,224" fill="none" stroke="black"></path>
                  <path d="M 200,368 L 200,432" fill="none" stroke="black"></path>
                  <path d="M 232,64 L 232,152" fill="none" stroke="black"></path>
                  <path d="M 232,224 L 232,360" fill="none" stroke="black"></path>
                  <path d="M 272,0 L 272,64" fill="none" stroke="black"></path>
                  <path d="M 272,160 L 272,224" fill="none" stroke="black"></path>
                  <path d="M 272,368 L 272,432" fill="none" stroke="black"></path>
                  <path d="M 328,80 L 328,144" fill="none" stroke="black"></path>
                  <path d="M 328,240 L 328,304" fill="none" stroke="black"></path>
                  <path d="M 376,304 L 376,384" fill="none" stroke="black"></path>
                  <path d="M 384,144 L 384,232" fill="none" stroke="black"></path>
                  <path d="M 416,80 L 416,144" fill="none" stroke="black"></path>
                  <path d="M 416,240 L 416,304" fill="none" stroke="black"></path>
                  <path d="M 472,112 L 472,416" fill="none" stroke="black"></path>
                  <path d="M 200,0 L 272,0" fill="none" stroke="black"></path>
                  <path d="M 128,32 L 200,32" fill="none" stroke="black"></path>
                  <path d="M 272,32 L 344,32" fill="none" stroke="black"></path>
                  <path d="M 200,64 L 272,64" fill="none" stroke="black"></path>
                  <path d="M 56,80 L 144,80" fill="none" stroke="black"></path>
                  <path d="M 328,80 L 416,80" fill="none" stroke="black"></path>
                  <path d="M 0,112 L 56,112" fill="none" stroke="black"></path>
                  <path d="M 416,112 L 472,112" fill="none" stroke="black"></path>
                  <path d="M 56,144 L 144,144" fill="none" stroke="black"></path>
                  <path d="M 328,144 L 416,144" fill="none" stroke="black"></path>
                  <path d="M 200,160 L 272,160" fill="none" stroke="black"></path>
                  <path d="M 136,192 L 200,192" fill="none" stroke="black"></path>
                  <path d="M 272,192 L 336,192" fill="none" stroke="black"></path>
                  <path d="M 200,224 L 272,224" fill="none" stroke="black"></path>
                  <path d="M 56,240 L 144,240" fill="none" stroke="black"></path>
                  <path d="M 328,240 L 416,240" fill="none" stroke="black"></path>
                  <path d="M 56,304 L 144,304" fill="none" stroke="black"></path>
                  <path d="M 328,304 L 416,304" fill="none" stroke="black"></path>
                  <path d="M 200,368 L 272,368" fill="none" stroke="black"></path>
                  <path d="M 96,384 L 192,384" fill="none" stroke="black"></path>
                  <path d="M 280,384 L 376,384" fill="none" stroke="black"></path>
                  <path d="M 0,416 L 192,416" fill="none" stroke="black"></path>
                  <path d="M 280,416 L 472,416" fill="none" stroke="black"></path>
                  <path d="M 200,432 L 272,432" fill="none" stroke="black"></path>
                  <path d="M 336,192 L 356,232" fill="none" stroke="black"></path>
                  <path d="M 344,32 L 364,72" fill="none" stroke="black"></path>
                  <path d="M 108,72 L 128,32" fill="none" stroke="black"></path>
                  <path d="M 116,232 L 136,192" fill="none" stroke="black"></path>
                  <polygon class="arrowhead" points="392,232 380,226.4 380,237.6" fill="black" transform="rotate(90,384,232)"></polygon>
                  <polygon class="arrowhead" points="372,72 360,66.4 360,77.6" fill="black" transform="rotate(63.43494882292201,364,72)"></polygon>
                  <polygon class="arrowhead" points="364,232 352,226.4 352,237.6" fill="black" transform="rotate(63.43494882292201,356,232)"></polygon>
                  <polygon class="arrowhead" points="288,416 276,410.4 276,421.6" fill="black" transform="rotate(180,280,416)"></polygon>
                  <polygon class="arrowhead" points="288,384 276,378.4 276,389.6" fill="black" transform="rotate(180,280,384)"></polygon>
                  <polygon class="arrowhead" points="240,360 228,354.4 228,365.6" fill="black" transform="rotate(90,232,360)"></polygon>
                  <polygon class="arrowhead" points="240,152 228,146.4 228,157.6" fill="black" transform="rotate(90,232,152)"></polygon>
                  <polygon class="arrowhead" points="200,416 188,410.4 188,421.6" fill="black" transform="rotate(0,192,416)"></polygon>
                  <polygon class="arrowhead" points="200,384 188,378.4 188,389.6" fill="black" transform="rotate(0,192,384)"></polygon>
                  <polygon class="arrowhead" points="124,232 112,226.4 112,237.6" fill="black" transform="rotate(116.56505117707799,116,232)"></polygon>
                  <polygon class="arrowhead" points="116,72 104,66.4 104,77.6" fill="black" transform="rotate(116.56505117707799,108,72)"></polygon>
                  <polygon class="arrowhead" points="96,232 84,226.4 84,237.6" fill="black" transform="rotate(90,88,232)"></polygon>
                  <g class="text">
                    <text x="160" y="20">send PP</text>
                    <text x="312" y="20">recv PP</text>
                    <text x="236" y="36">idle</text>
                    <text x="276" y="100">send H /</text>
                    <text x="100" y="116">reserved</text>
                    <text x="268" y="116">recv H</text>
                    <text x="372" y="116">reserved</text>
                    <text x="96" y="132">(local)</text>
                    <text x="372" y="132">(remote)</text>
                    <text x="160" y="180">recv ES</text>
                    <text x="312" y="180">send ES</text>
                    <text x="52" y="196">send H</text>
                    <text x="236" y="196">open</text>
                    <text x="420" y="196">recv H</text>
                    <text x="100" y="260">half-</text>
                    <text x="372" y="260">half-</text>
                    <text x="100" y="276">closed</text>
                    <text x="276" y="276">send R /</text>
                    <text x="372" y="276">closed</text>
                    <text x="100" y="292">(remote)</text>
                    <text x="268" y="292">recv R</text>
                    <text x="368" y="292">(local)</text>
                    <text x="144" y="340">send ES /</text>
                    <text x="328" y="340">recv ES /</text>
                    <text x="148" y="356">send R /</text>
                    <text x="332" y="356">send R /</text>
                    <text x="140" y="372">recv R</text>
                    <text x="324" y="372">recv R</text>
                    <text x="44" y="388">send R /</text>
                    <text x="428" y="388">send R /</text>
                    <text x="36" y="404">recv R</text>
                    <text x="236" y="404">closed</text>
                    <text x="420" y="404">recv R</text>
                  </g>
                </g>
              </svg><a href="#section-5.1-2.1.1" class="pilcrow">¶</a>
</div>
</div>
<figcaption><a href="#figure-2" class="selfRef">Figure 2</a>:
<a href="#name-stream-states-2" class="selfRef">Stream States</a>
          </figcaption></figure>
</div>
<span class="break"></span><dl class="dlCompact dlParallel" id="section-5.1-3">
          <dt id="section-5.1-3.1">
<code>send</code>:</dt>
          <dd style="margin-left: 1.5em" id="section-5.1-3.2">endpoint sends this frame<a href="#section-5.1-3.2" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-5.1-3.3">
<code>recv</code>:</dt>
          <dd style="margin-left: 1.5em" id="section-5.1-3.4">endpoint receives this frame<a href="#section-5.1-3.4" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-5.1-3.5">
<code>H</code>:</dt>
          <dd style="margin-left: 1.5em" id="section-5.1-3.6">
            <a href="#HEADERS" class="xref">HEADERS</a> frame (with implied <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames)<a href="#section-5.1-3.6" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-5.1-3.7">
<code>ES</code>:</dt>
          <dd style="margin-left: 1.5em" id="section-5.1-3.8">END_STREAM flag<a href="#section-5.1-3.8" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-5.1-3.9">
<code>R</code>:</dt>
          <dd style="margin-left: 1.5em" id="section-5.1-3.10">
            <a href="#RST_STREAM" class="xref">RST_STREAM</a> frame<a href="#section-5.1-3.10" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-5.1-3.11">
<code>PP</code>:</dt>
          <dd style="margin-left: 1.5em" id="section-5.1-3.12">
            <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame (with implied <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames); state transitions are for the promised stream<a href="#section-5.1-3.12" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
</dl>
<p id="section-5.1-4">Note that this diagram shows stream state transitions and the frames and flags that affect
          those transitions only.  In this regard, <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames do not result
          in state transitions; they are effectively part of the <a href="#HEADERS" class="xref">HEADERS</a> or
          <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> that they follow.  For the purpose of state transitions, the
          END_STREAM flag is processed as a separate event to the frame that bears it; a
          <a href="#HEADERS" class="xref">HEADERS</a> frame with the END_STREAM flag set can cause two state transitions.<a href="#section-5.1-4" class="pilcrow">¶</a></p>
<p id="section-5.1-5">Both endpoints have a subjective view of the state of a stream that could be different
          when frames are in transit.  Endpoints do not coordinate the creation of streams; they are
          created unilaterally by either endpoint.  The negative consequences of a mismatch in
          states are limited to the "closed" state after sending <a href="#RST_STREAM" class="xref">RST_STREAM</a>, where
          frames might be received for some time after closing.<a href="#section-5.1-5" class="pilcrow">¶</a></p>
<p id="section-5.1-6">Streams have the following states:<a href="#section-5.1-6" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-5.1-7">
          <dt id="section-5.1-7.1">idle:</dt>
          <dd style="margin-left: 1.5em" id="section-5.1-7.2">
            <p id="section-5.1-7.2.1">All streams start in the "idle" state.<a href="#section-5.1-7.2.1" class="pilcrow">¶</a></p>
<p id="section-5.1-7.2.2">The following transitions are valid from this state:<a href="#section-5.1-7.2.2" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-5.1-7.2.3.1">Sending a <a href="#HEADERS" class="xref">HEADERS</a> frame as a client, or receiving a HEADERS frame
                    as a server, causes the stream to become "open".  The stream identifier is selected as described in
                    <a href="#StreamIdentifiers" class="xref">Section 5.1.1</a>.  The same <a href="#HEADERS" class="xref">HEADERS</a> frame can also
                    cause a stream to immediately become "half-closed".<a href="#section-5.1-7.2.3.1" class="pilcrow">¶</a>
</li>
              <li class="normal" id="section-5.1-7.2.3.2">Sending a <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame on another stream reserves the idle
                    stream that is identified for later use.  The stream state for the reserved
                    stream transitions to "reserved (local)".  Only a server may send <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frames.<a href="#section-5.1-7.2.3.2" class="pilcrow">¶</a>
</li>
              <li class="normal" id="section-5.1-7.2.3.3">Receiving a <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame on another stream reserves an idle
                    stream that is identified for later use.  The stream state for the reserved
                    stream transitions to "reserved (remote)".  Only a client may receive <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frames.<a href="#section-5.1-7.2.3.3" class="pilcrow">¶</a>
</li>
              <li class="normal" id="section-5.1-7.2.3.4">Note that the <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame is not sent on the idle
                    stream but references the newly reserved stream in the Promised Stream ID
                    field.<a href="#section-5.1-7.2.3.4" class="pilcrow">¶</a>
</li>
              <li class="normal" id="section-5.1-7.2.3.5">Opening a stream with a higher-valued stream identifier causes the stream to
                transition immediately to a "closed" state; note that this transition is not shown
                in the diagram.<a href="#section-5.1-7.2.3.5" class="pilcrow">¶</a>
</li>
            </ul>
<p id="section-5.1-7.2.4">Receiving any frame other than <a href="#HEADERS" class="xref">HEADERS</a> or <a href="#PRIORITY" class="xref">PRIORITY</a> on
                a stream in this state <span class="bcp14">MUST</span> be treated as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
                <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>. If this stream is initiated by the server, as described in
                <a href="#StreamIdentifiers" class="xref">Section 5.1.1</a>, then receiving a <a href="#HEADERS" class="xref">HEADERS</a> frame <span class="bcp14">MUST</span> also
                be treated as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
                <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-5.1-7.2.4" class="pilcrow">¶</a></p>
</dd>
          <dd class="break"></dd>
<dt id="section-5.1-7.3">reserved (local):</dt>
          <dd style="margin-left: 1.5em" id="section-5.1-7.4">
            <p id="section-5.1-7.4.1">A stream in the "reserved (local)" state is one that has been promised by sending a
                <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame.  A <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame reserves an
                idle stream by associating the stream with an open stream that was initiated by the
                remote peer (see <a href="#PushResources" class="xref">Section 8.4</a>).<a href="#section-5.1-7.4.1" class="pilcrow">¶</a></p>
<p id="section-5.1-7.4.2">In this state, only the following transitions are possible:<a href="#section-5.1-7.4.2" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-5.1-7.4.3.1">The endpoint can send a <a href="#HEADERS" class="xref">HEADERS</a> frame.  This causes the stream to
                    open in a "half-closed (remote)" state.<a href="#section-5.1-7.4.3.1" class="pilcrow">¶</a>
</li>
              <li class="normal" id="section-5.1-7.4.3.2">Either endpoint can send a <a href="#RST_STREAM" class="xref">RST_STREAM</a> frame to cause the stream
                    to become "closed".  This releases the stream reservation.<a href="#section-5.1-7.4.3.2" class="pilcrow">¶</a>
</li>
            </ul>
<p id="section-5.1-7.4.4">An endpoint <span class="bcp14">MUST NOT</span> send any type of frame other than <a href="#HEADERS" class="xref">HEADERS</a>,
                <a href="#RST_STREAM" class="xref">RST_STREAM</a>, or <a href="#PRIORITY" class="xref">PRIORITY</a> in this state.<a href="#section-5.1-7.4.4" class="pilcrow">¶</a></p>
<p id="section-5.1-7.4.5">A <a href="#PRIORITY" class="xref">PRIORITY</a> or <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a> frame <span class="bcp14">MAY</span> be received in
                this state.  Receiving any type of frame other than <a href="#RST_STREAM" class="xref">RST_STREAM</a>,
                <a href="#PRIORITY" class="xref">PRIORITY</a>, or <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a> on a stream in this state
                <span class="bcp14">MUST</span> be treated as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span>
                of type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-5.1-7.4.5" class="pilcrow">¶</a></p>
</dd>
          <dd class="break"></dd>
<dt id="section-5.1-7.5">reserved (remote):</dt>
          <dd style="margin-left: 1.5em" id="section-5.1-7.6">
            <p id="section-5.1-7.6.1">A stream in the "reserved (remote)" state has been reserved by a remote peer.<a href="#section-5.1-7.6.1" class="pilcrow">¶</a></p>
<p id="section-5.1-7.6.2">In this state, only the following transitions are possible:<a href="#section-5.1-7.6.2" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-5.1-7.6.3.1">Receiving a <a href="#HEADERS" class="xref">HEADERS</a> frame causes the stream to transition to
                    "half-closed (local)".<a href="#section-5.1-7.6.3.1" class="pilcrow">¶</a>
</li>
              <li class="normal" id="section-5.1-7.6.3.2">Either endpoint can send a <a href="#RST_STREAM" class="xref">RST_STREAM</a> frame to cause the stream
                    to become "closed".  This releases the stream reservation.<a href="#section-5.1-7.6.3.2" class="pilcrow">¶</a>
</li>
            </ul>
<p id="section-5.1-7.6.4">An endpoint <span class="bcp14">MUST NOT</span> send any type of frame other than <a href="#RST_STREAM" class="xref">RST_STREAM</a>, <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a>, or <a href="#PRIORITY" class="xref">PRIORITY</a> in this state.<a href="#section-5.1-7.6.4" class="pilcrow">¶</a></p>
<p id="section-5.1-7.6.5">Receiving any type of frame other than <a href="#HEADERS" class="xref">HEADERS</a>,
                <a href="#RST_STREAM" class="xref">RST_STREAM</a>, or <a href="#PRIORITY" class="xref">PRIORITY</a> on a stream in this state <span class="bcp14">MUST</span>
                be treated as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of
                type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-5.1-7.6.5" class="pilcrow">¶</a></p>
</dd>
          <dd class="break"></dd>
<dt id="section-5.1-7.7">open:</dt>
          <dd style="margin-left: 1.5em" id="section-5.1-7.8">
            <p id="section-5.1-7.8.1">A stream in the "open" state may be used by both peers to send frames of any type.
                In this state, sending peers observe advertised <span><a href="#FlowControl" class="xref">stream-level
                flow-control limits</a> (<a href="#FlowControl" class="xref">Section 5.2</a>)</span>.<a href="#section-5.1-7.8.1" class="pilcrow">¶</a></p>
<p id="section-5.1-7.8.2">From this state, either endpoint can send a frame with an END_STREAM flag set, which
                causes the stream to transition into one of the "half-closed" states. An endpoint
                sending an END_STREAM flag causes the stream state to become "half-closed (local)";
                an endpoint receiving an END_STREAM flag causes the stream state to become "half-closed
                (remote)".<a href="#section-5.1-7.8.2" class="pilcrow">¶</a></p>
<p id="section-5.1-7.8.3">Either endpoint can send a <a href="#RST_STREAM" class="xref">RST_STREAM</a> frame from this state, causing
                it to transition immediately to "closed".<a href="#section-5.1-7.8.3" class="pilcrow">¶</a></p>
</dd>
          <dd class="break"></dd>
<dt id="section-5.1-7.9">half-closed (local):</dt>
          <dd style="margin-left: 1.5em" id="section-5.1-7.10">
            <p id="section-5.1-7.10.1">A stream that is in the "half-closed (local)" state cannot be used for sending
                frames other than <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a>, <a href="#PRIORITY" class="xref">PRIORITY</a>, and
                <a href="#RST_STREAM" class="xref">RST_STREAM</a>.<a href="#section-5.1-7.10.1" class="pilcrow">¶</a></p>
<p id="section-5.1-7.10.2">A stream transitions from this state to "closed" when a frame is received with the
                END_STREAM flag set or when either peer sends a <a href="#RST_STREAM" class="xref">RST_STREAM</a>
                frame.<a href="#section-5.1-7.10.2" class="pilcrow">¶</a></p>
<p id="section-5.1-7.10.3">An endpoint can receive any type of frame in this state.  Providing flow-control
                credit using <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a> frames is necessary to continue receiving
                flow-controlled frames.  In this state, a receiver can ignore <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a> frames,
                which might arrive for a short period after a frame with the END_STREAM flag set is sent.<a href="#section-5.1-7.10.3" class="pilcrow">¶</a></p>
<p id="section-5.1-7.10.4"><a href="#PRIORITY" class="xref">PRIORITY</a> frames can be received in this state.<a href="#section-5.1-7.10.4" class="pilcrow">¶</a></p>
</dd>
          <dd class="break"></dd>
<dt id="section-5.1-7.11">half-closed (remote):</dt>
          <dd style="margin-left: 1.5em" id="section-5.1-7.12">
            <p id="section-5.1-7.12.1">A stream that is "half-closed (remote)" is no longer being used by the peer to send
                frames.  In this state, an endpoint is no longer obligated to maintain a receiver
                flow-control window.<a href="#section-5.1-7.12.1" class="pilcrow">¶</a></p>
<p id="section-5.1-7.12.2">If an endpoint receives additional frames, other
                than <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a>, <a href="#PRIORITY" class="xref">PRIORITY</a>, or
                <a href="#RST_STREAM" class="xref">RST_STREAM</a>,  for a stream that is in this state, it <span class="bcp14">MUST</span> respond with a <span><a href="#StreamErrorHandler" class="xref">stream error</a> (<a href="#StreamErrorHandler" class="xref">Section 5.4.2</a>)</span> of type
                <a href="#STREAM_CLOSED" class="xref">STREAM_CLOSED</a>.<a href="#section-5.1-7.12.2" class="pilcrow">¶</a></p>
<p id="section-5.1-7.12.3">A stream that is "half-closed (remote)" can be used by the endpoint to send frames
                of any type. In this state, the endpoint continues to observe advertised <span><a href="#FlowControl" class="xref">stream-level flow-control limits</a> (<a href="#FlowControl" class="xref">Section 5.2</a>)</span>.<a href="#section-5.1-7.12.3" class="pilcrow">¶</a></p>
<p id="section-5.1-7.12.4">A stream can transition from this state to "closed" by sending a frame with the
                END_STREAM flag set or when either peer sends a <a href="#RST_STREAM" class="xref">RST_STREAM</a> frame.<a href="#section-5.1-7.12.4" class="pilcrow">¶</a></p>
</dd>
          <dd class="break"></dd>
<dt id="section-5.1-7.13">closed:</dt>
          <dd style="margin-left: 1.5em" id="section-5.1-7.14">
            <p id="section-5.1-7.14.1">The "closed" state is the terminal state.<a href="#section-5.1-7.14.1" class="pilcrow">¶</a></p>
<p id="section-5.1-7.14.2">A stream enters the "closed" state after an endpoint both sends and receives a frame
              with an END_STREAM flag set. A stream also enters the "closed" state after an endpoint
              either sends or receives a <a href="#RST_STREAM" class="xref">RST_STREAM</a>
              frame.<a href="#section-5.1-7.14.2" class="pilcrow">¶</a></p>
<p id="section-5.1-7.14.3">An endpoint <span class="bcp14">MUST NOT</span> send frames other than <a href="#PRIORITY" class="xref">PRIORITY</a> on a closed stream.  An endpoint <span class="bcp14">MAY</span> treat receipt of
              any other type of frame on a closed stream as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type <a href="#STREAM_CLOSED" class="xref">STREAM_CLOSED</a>, except as noted below.<a href="#section-5.1-7.14.3" class="pilcrow">¶</a></p>
<p id="section-5.1-7.14.4">An endpoint that sends a frame with the END_STREAM flag set or a <a href="#RST_STREAM" class="xref">RST_STREAM</a> frame might receive a <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a> or <a href="#RST_STREAM" class="xref">RST_STREAM</a> frame from its peer in the time before the peer
              receives and processes the frame that closes the stream.<a href="#section-5.1-7.14.4" class="pilcrow">¶</a></p>
<p id="section-5.1-7.14.5">An endpoint that sends a <a href="#RST_STREAM" class="xref">RST_STREAM</a>
              frame on a stream that is in the "open"  or "half-closed (local)" state could receive any type of frame.  The
              peer might have sent or enqueued for sending these frames before processing the <a href="#RST_STREAM" class="xref">RST_STREAM</a> frame. An endpoint <span class="bcp14">MUST</span> minimally
              process and then discard any frames it receives in this state.  This means updating
              header compression state for <a href="#HEADERS" class="xref">HEADERS</a> and
              <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frames.  Receiving a <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame also causes the promised
              stream to become "reserved (remote)", even when the <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame is received on a closed stream. Additionally, the
              content of <a href="#DATA" class="xref">DATA</a> frames counts toward the
              connection flow-control window.<a href="#section-5.1-7.14.5" class="pilcrow">¶</a></p>
<p id="section-5.1-7.14.6">An endpoint can perform this minimal processing for all streams that are in the
              "closed" state.  Endpoints <span class="bcp14">MAY</span> use other signals to detect that a peer has received
              the frames that caused the stream to enter the "closed" state and treat receipt of any frame other
              than <a href="#PRIORITY" class="xref">PRIORITY</a> as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.  Endpoints can use frames
              that indicate that the peer has received the closing signal to drive this.  Endpoints
              <span class="bcp14">SHOULD NOT</span> use timers for this purpose.  For example, an endpoint that sends a <a href="#SETTINGS" class="xref">SETTINGS</a> frame after closing a stream can
              safely treat receipt of a <a href="#DATA" class="xref">DATA</a> frame on that
              stream as an error after receiving an acknowledgment of the settings.  Other things
              that might be used are <a href="#PING" class="xref">PING</a> frames, receiving
              data on streams that were created after closing the stream, or responses to requests
              created after closing the stream.<a href="#section-5.1-7.14.6" class="pilcrow">¶</a></p>
</dd>
        <dd class="break"></dd>
</dl>
<p id="section-5.1-8">In the absence of more specific rules, implementations <span class="bcp14">SHOULD</span> treat the receipt of a frame
          that is not expressly permitted in the description of a state as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.  Note that <a href="#PRIORITY" class="xref">PRIORITY</a> can be sent and received in any stream
          state.<a href="#section-5.1-8" class="pilcrow">¶</a></p>
<p id="section-5.1-9">The rules in this section only apply to frames defined in this document.  Receipt of
          frames for which the semantics are unknown cannot be treated as an error, as the conditions
          for sending and receiving those frames are also unknown; see <a href="#extensibility" class="xref">Section 5.5</a>.<a href="#section-5.1-9" class="pilcrow">¶</a></p>
<p id="section-5.1-10">An example of the state transitions for an HTTP request/response exchange can be found in
          <a href="#HttpExamples" class="xref">Section 8.8</a>.  An example of the state transitions for server push can be
          found in Sections <a href="#PushRequests" class="xref">8.4.1</a> and <a href="#PushResponses" class="xref">8.4.2</a>.<a href="#section-5.1-10" class="pilcrow">¶</a></p>
<div id="StreamIdentifiers">
<section id="section-5.1.1">
          <h4 id="name-stream-identifiers">
<a href="#section-5.1.1" class="section-number selfRef">5.1.1. </a><a href="#name-stream-identifiers" class="section-name selfRef">Stream Identifiers</a>
          </h4>
<p id="section-5.1.1-1">Streams are identified by an unsigned 31-bit integer.  Streams initiated by a client
            <span class="bcp14">MUST</span> use odd-numbered stream identifiers; those initiated by the server <span class="bcp14">MUST</span> use
            even-numbered stream identifiers.  A stream identifier of zero (0x00) is used for
            connection control messages; the stream identifier of zero cannot be used to establish a
            new stream.<a href="#section-5.1.1-1" class="pilcrow">¶</a></p>
<p id="section-5.1.1-2">The identifier of a newly established stream <span class="bcp14">MUST</span> be numerically greater than all
            streams that the initiating endpoint has opened or reserved.  This governs streams that
            are opened using a <a href="#HEADERS" class="xref">HEADERS</a> frame and streams that are reserved using
            <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a>.  An endpoint that receives an unexpected stream identifier
            <span class="bcp14">MUST</span> respond with a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of
            type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-5.1.1-2" class="pilcrow">¶</a></p>
<p id="section-5.1.1-3">A <a href="#HEADERS" class="xref">HEADERS</a> frame will transition the client-initiated stream identified
            by the stream identifier in the frame header from "idle" to "open". A <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a>
            frame will transition the server-initiated stream identified by the Promised Stream ID field in the frame payload from "idle" to "reserved (local)" or "reserved (remote)". When
            a stream transitions out of the "idle" state, all streams in the "idle" state that might have been opened by the peer with a lower-valued
            stream identifier immediately transition to "closed". That is, an endpoint may skip a stream identifier, with the
            effect being that the skipped stream is immediately closed.<a href="#section-5.1.1-3" class="pilcrow">¶</a></p>
<p id="section-5.1.1-4">Stream identifiers cannot be reused.  Long-lived connections can result in an endpoint
            exhausting the available range of stream identifiers.  A client that is unable to
            establish a new stream identifier can establish a new connection for new streams.  A
            server that is unable to establish a new stream identifier can send a
            <a href="#GOAWAY" class="xref">GOAWAY</a> frame so that the client is forced to open a new connection for
            new streams.<a href="#section-5.1.1-4" class="pilcrow">¶</a></p>
</section>
</div>
<section id="section-5.1.2">
          <h4 id="name-stream-concurrency">
<a href="#section-5.1.2" class="section-number selfRef">5.1.2. </a><a href="#name-stream-concurrency" class="section-name selfRef">Stream Concurrency</a>
          </h4>
<p id="section-5.1.2-1">A peer can limit the number of concurrently active streams using the
            <a href="#SETTINGS_MAX_CONCURRENT_STREAMS" class="xref">SETTINGS_MAX_CONCURRENT_STREAMS</a> parameter (see <a href="#SettingValues" class="xref">Section 6.5.2</a>) within a <a href="#SETTINGS" class="xref">SETTINGS</a> frame. The maximum concurrent
            streams setting is specific to each endpoint and applies only to the peer that receives
            the setting. That is, clients specify the maximum number of concurrent streams the
            server can initiate, and servers specify the maximum number of concurrent streams the
            client can initiate.<a href="#section-5.1.2-1" class="pilcrow">¶</a></p>
<p id="section-5.1.2-2">Streams that are in the "open" state or in either of the "half-closed" states count toward
            the maximum number of streams that an endpoint is permitted to open.  Streams in any of
            these three states count toward the limit advertised in the
            <a href="#SETTINGS_MAX_CONCURRENT_STREAMS" class="xref">SETTINGS_MAX_CONCURRENT_STREAMS</a> setting.  Streams in either of the
            "reserved" states do not count toward the stream limit.<a href="#section-5.1.2-2" class="pilcrow">¶</a></p>
<p id="section-5.1.2-3">Endpoints <span class="bcp14">MUST NOT</span> exceed the limit set by their peer.  An endpoint that receives a
            <a href="#HEADERS" class="xref">HEADERS</a> frame that causes its advertised concurrent stream limit to be
            exceeded <span class="bcp14">MUST</span> treat this as a <span><a href="#StreamErrorHandler" class="xref">stream error</a> (<a href="#StreamErrorHandler" class="xref">Section 5.4.2</a>)</span> of
            type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a> or <a href="#REFUSED_STREAM" class="xref">REFUSED_STREAM</a>.  The choice of
            error code determines whether the endpoint wishes to enable automatic retry (see <a href="#Reliability" class="xref">Section 8.7</a> for details).<a href="#section-5.1.2-3" class="pilcrow">¶</a></p>
<p id="section-5.1.2-4">An endpoint that wishes to reduce the value of
            <a href="#SETTINGS_MAX_CONCURRENT_STREAMS" class="xref">SETTINGS_MAX_CONCURRENT_STREAMS</a> to a value that is below the current
            number of open streams can either close streams that exceed the new value or allow
            streams to complete.<a href="#section-5.1.2-4" class="pilcrow">¶</a></p>
</section>
</section>
</div>
<div id="FlowControl">
<section id="section-5.2">
        <h3 id="name-flow-control">
<a href="#section-5.2" class="section-number selfRef">5.2. </a><a href="#name-flow-control" class="section-name selfRef">Flow Control</a>
        </h3>
<p id="section-5.2-1">Using streams for multiplexing introduces contention over use of the TCP connection,
          resulting in blocked streams.  A flow-control scheme ensures that streams on the same
          connection do not destructively interfere with each other.  Flow control is used for both
          individual streams and the connection as a whole.<a href="#section-5.2-1" class="pilcrow">¶</a></p>
<p id="section-5.2-2">HTTP/2 provides for flow control through use of the <span><a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE frame</a> (<a href="#WINDOW_UPDATE" class="xref">Section 6.9</a>)</span>.<a href="#section-5.2-2" class="pilcrow">¶</a></p>
<div id="fc-principles">
<section id="section-5.2.1">
          <h4 id="name-flow-control-principles">
<a href="#section-5.2.1" class="section-number selfRef">5.2.1. </a><a href="#name-flow-control-principles" class="section-name selfRef">Flow-Control Principles</a>
          </h4>
<p id="section-5.2.1-1">HTTP/2 stream flow control aims to allow a variety of flow-control algorithms to be
            used without requiring protocol changes. Flow control in HTTP/2 has the following
            characteristics:<a href="#section-5.2.1-1" class="pilcrow">¶</a></p>
<ol start="1" type="1" class="normal type-1" id="section-5.2.1-2">
            <li id="section-5.2.1-2.1">Flow control is specific to a connection.  HTTP/2 flow control operates between
                the endpoints of a single hop and not over the entire end-to-end path.<a href="#section-5.2.1-2.1" class="pilcrow">¶</a>
</li>
            <li id="section-5.2.1-2.2">Flow control is based on <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a> frames.  Receivers advertise how many octets
                they are prepared to receive on a stream and for the entire connection.  This is a
                credit-based scheme.<a href="#section-5.2.1-2.2" class="pilcrow">¶</a>
</li>
            <li id="section-5.2.1-2.3">Flow control is directional with overall control provided by the receiver.  A
                receiver <span class="bcp14">MAY</span> choose to set any window size that it desires for each stream and for
                the entire connection.  A sender <span class="bcp14">MUST</span> respect flow-control limits imposed by a
                receiver.  Clients, servers, and intermediaries all independently advertise their
                flow-control window as a receiver and abide by the flow-control limits set by
                their peer when sending.<a href="#section-5.2.1-2.3" class="pilcrow">¶</a>
</li>
            <li id="section-5.2.1-2.4">The initial value for the flow-control window is 65,535 octets for both new streams
                and the overall connection.<a href="#section-5.2.1-2.4" class="pilcrow">¶</a>
</li>
            <li id="section-5.2.1-2.5">The frame type determines whether flow control applies to a frame.  Of the frames
                specified in this document, only <a href="#DATA" class="xref">DATA</a> frames are subject to flow
                control; all other frame types do not consume space in the advertised flow-control
                window.  This ensures that important control frames are not blocked by flow control.<a href="#section-5.2.1-2.5" class="pilcrow">¶</a>
</li>
            <li id="section-5.2.1-2.6">An endpoint can choose to disable its own flow control, but an endpoint cannot ignore
              flow-control signals from its peer.<a href="#section-5.2.1-2.6" class="pilcrow">¶</a>
</li>
            <li id="section-5.2.1-2.7">HTTP/2 defines only the format and semantics of the <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a>
                frame (<a href="#WINDOW_UPDATE" class="xref">Section 6.9</a>).  This document does not stipulate how a
                receiver decides when to send this frame or the value that it sends, nor does it
                specify how a sender chooses to send packets.  Implementations are able to select
                any algorithm that suits their needs.<a href="#section-5.2.1-2.7" class="pilcrow">¶</a>
</li>
          </ol>
<p id="section-5.2.1-3">Implementations are also responsible for prioritizing the sending of requests and
            responses, choosing how to avoid head-of-line blocking for requests, and managing the
            creation of new streams.  Algorithm choices for these could interact with any
            flow-control algorithm.<a href="#section-5.2.1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="DisableFlowControl">
<section id="section-5.2.2">
          <h4 id="name-appropriate-use-of-flow-con">
<a href="#section-5.2.2" class="section-number selfRef">5.2.2. </a><a href="#name-appropriate-use-of-flow-con" class="section-name selfRef">Appropriate Use of Flow Control</a>
          </h4>
<p id="section-5.2.2-1">Flow control is defined to protect endpoints that are operating under resource
            constraints.  For example, a proxy needs to share memory between many connections and
            also might have a slow upstream connection and a fast downstream one.  Flow control
            addresses cases where the receiver is unable to process data on one stream yet wants to
            continue to process other streams in the same connection.<a href="#section-5.2.2-1" class="pilcrow">¶</a></p>
<p id="section-5.2.2-2">Deployments that do not require this capability can advertise a flow-control window of
            the maximum size (2<sup>31</sup>-1) and can maintain this window by sending a
            <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a> frame when any data is received.  This effectively disables
            flow control for that receiver.  Conversely, a sender is always subject to the
            flow-control window advertised by the receiver.<a href="#section-5.2.2-2" class="pilcrow">¶</a></p>
<p id="section-5.2.2-3">Deployments with constrained resources (for example, memory) can employ flow control to
            limit the amount of memory a peer can consume.  Note, however, that this can lead to
            suboptimal use of available network resources if flow control is enabled without
            knowledge of the bandwidth * delay product (see <span>[<a href="#RFC7323" class="xref">RFC7323</a>]</span>).<a href="#section-5.2.2-3" class="pilcrow">¶</a></p>
<p id="section-5.2.2-4">Even with full awareness of the current bandwidth * delay product, implementation of
            flow control can be difficult.  Endpoints <span class="bcp14">MUST</span> read and process HTTP/2 frames from the
            TCP receive buffer as soon as data is available.  Failure to read promptly could lead to
            a deadlock when critical frames, such as <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a>, are not read and acted upon. Reading frames promptly
            does not expose endpoints to resource exhaustion attacks, as HTTP/2 flow control limits
            resource commitments.<a href="#section-5.2.2-4" class="pilcrow">¶</a></p>
</section>
</div>
<div id="FlowControlPerformance">
<section id="section-5.2.3">
          <h4 id="name-flow-control-performance">
<a href="#section-5.2.3" class="section-number selfRef">5.2.3. </a><a href="#name-flow-control-performance" class="section-name selfRef">Flow-Control Performance</a>
          </h4>
<p id="section-5.2.3-1">If an endpoint cannot ensure that its peer always has available flow-control window
            space that is greater than the peer's bandwidth * delay product on this connection, its
            receive throughput will be limited by HTTP/2 flow control. This will result in degraded
            performance.<a href="#section-5.2.3-1" class="pilcrow">¶</a></p>
<p id="section-5.2.3-2">Sending timely <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a> frames
            can improve performance. Endpoints will want to balance the need to improve receive
            throughput with the need to manage resource exhaustion risks and should take careful
            note of <a href="#dos" class="xref">Section 10.5</a> in defining their strategy to manage window sizes.<a href="#section-5.2.3-2" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="StreamPriority">
<section id="section-5.3">
        <h3 id="name-prioritization">
<a href="#section-5.3" class="section-number selfRef">5.3. </a><a href="#name-prioritization" class="section-name selfRef">Prioritization</a>
        </h3>
<p id="section-5.3-1">In a multiplexed protocol like HTTP/2, prioritizing allocation of bandwidth and
          computation resources to streams can be critical to attaining good performance.  A poor
          prioritization scheme can result in HTTP/2 providing poor performance.  With no parallelism
          at the TCP layer, performance could be significantly worse than HTTP/1.1.<a href="#section-5.3-1" class="pilcrow">¶</a></p>
<p id="section-5.3-2">A good prioritization scheme benefits from the application of contextual knowledge such as
          the content of resources, how resources are interrelated, and how those resources will be
          used by a peer.  In particular, clients can possess knowledge about the priority of
          requests that is relevant to server prioritization.  In those cases, having clients
          provide priority information can improve performance.<a href="#section-5.3-2" class="pilcrow">¶</a></p>
<div id="PriorityHistory">
<section id="section-5.3.1">
          <h4 id="name-background-on-priority-in-r">
<a href="#section-5.3.1" class="section-number selfRef">5.3.1. </a><a href="#name-background-on-priority-in-r" class="section-name selfRef">Background on Priority in RFC 7540</a>
          </h4>
<p id="section-5.3.1-1">RFC 7540 defined a rich system for signaling priority of requests.  However, this system
            proved to be complex, and it was not uniformly implemented.<a href="#section-5.3.1-1" class="pilcrow">¶</a></p>
<p id="section-5.3.1-2">The flexible scheme meant that it was possible for clients to express priorities in very
            different ways, with little consistency in the approaches that were adopted.  For
            servers, implementing generic support for the scheme was complex.  Implementation of
            priorities was uneven in both clients and servers.  Many server deployments ignored
            client signals when prioritizing their handling of requests.<a href="#section-5.3.1-2" class="pilcrow">¶</a></p>
<p id="section-5.3.1-3">In short, the prioritization signaling in <span><a href="#RFC7540" class="xref">RFC 7540</a> [<a href="#RFC7540" class="xref">RFC7540</a>]</span> was not
            successful.<a href="#section-5.3.1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="PriorityHere">
<section id="section-5.3.2">
          <h4 id="name-priority-signaling-in-this-">
<a href="#section-5.3.2" class="section-number selfRef">5.3.2. </a><a href="#name-priority-signaling-in-this-" class="section-name selfRef">Priority Signaling in This Document</a>
          </h4>
<p id="section-5.3.2-1">This update to HTTP/2 deprecates the priority signaling defined in <span><a href="#RFC7540" class="xref">RFC 7540</a> [<a href="#RFC7540" class="xref">RFC7540</a>]</span>.  The bulk of the text related to priority signals is
            not included in this document.  The description of frame fields and some of the
            mandatory handling is retained to ensure that implementations of this document remain
            interoperable with implementations that use the priority signaling described in RFC
            7540.<a href="#section-5.3.2-1" class="pilcrow">¶</a></p>
<p id="section-5.3.2-2">A thorough description of the RFC 7540 priority scheme remains in <span><a href="https://www.rfc-editor.org/rfc/rfc7540#section-5.3" class="relref">Section 5.3</a> of [<a href="#RFC7540" class="xref">RFC7540</a>]</span>.<a href="#section-5.3.2-2" class="pilcrow">¶</a></p>
<p id="section-5.3.2-3">Signaling priority information is necessary to attain good performance in many cases.
            Where signaling priority information is important, endpoints are encouraged to use an
            alternative scheme, such as the scheme described in <span>[<a href="#RFC9218" class="xref">HTTP-PRIORITY</a>]</span>.<a href="#section-5.3.2-3" class="pilcrow">¶</a></p>
<p id="section-5.3.2-4">Though the priority signaling from RFC 7540 was not widely adopted, the information it
            provides can still be useful in the absence of better information.  Endpoints that
            receive priority signals in <a href="#HEADERS" class="xref">HEADERS</a> or <a href="#PRIORITY" class="xref">PRIORITY</a> frames can benefit from applying that
            information.  In particular, implementations that consume these signals would not
            benefit from discarding these priority signals in the absence of alternatives.<a href="#section-5.3.2-4" class="pilcrow">¶</a></p>
<p id="section-5.3.2-5">Servers <span class="bcp14">SHOULD</span> use other contextual information in determining priority of requests in
            the absence of any priority signals.  Servers <span class="bcp14">MAY</span> interpret the complete absence of
            signals as an indication that the client has not implemented the feature.  The defaults
            described in <span><a href="https://www.rfc-editor.org/rfc/rfc7540#section-5.3.5" class="relref">Section 5.3.5</a> of [<a href="#RFC7540" class="xref">RFC7540</a>]</span> are known to have poor performance
            under most conditions, and their use is unlikely to be deliberate.<a href="#section-5.3.2-5" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="ErrorHandler">
<section id="section-5.4">
        <h3 id="name-error-handling">
<a href="#section-5.4" class="section-number selfRef">5.4. </a><a href="#name-error-handling" class="section-name selfRef">Error Handling</a>
        </h3>
<p id="section-5.4-1">HTTP/2 framing permits two classes of errors:<a href="#section-5.4-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-5.4-2.1">An error condition that renders the entire connection unusable is a connection error.<a href="#section-5.4-2.1" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-5.4-2.2">An error in an individual stream is a stream error.<a href="#section-5.4-2.2" class="pilcrow">¶</a>
</li>
        </ul>
<p id="section-5.4-3">A list of error codes is included in <a href="#ErrorCodes" class="xref">Section 7</a>.<a href="#section-5.4-3" class="pilcrow">¶</a></p>
<p id="section-5.4-4">It is possible that an endpoint will encounter frames that would cause multiple errors. Implementations <span class="bcp14">MAY</span> discover
          multiple errors during processing, but they <span class="bcp14">SHOULD</span> report at most one stream and one connection error as a result.<a href="#section-5.4-4" class="pilcrow">¶</a></p>
<p id="section-5.4-5">The first stream error reported for a given stream prevents any other errors on that stream from being reported.
          In comparison, the protocol permits multiple <a href="#GOAWAY" class="xref">GOAWAY</a> frames, though an
          endpoint <span class="bcp14">SHOULD</span> report just one type of connection error unless an error is encountered during graceful shutdown.
          If this occurs, an endpoint <span class="bcp14">MAY</span> send an additional GOAWAY frame with the new error code, in addition to any prior
          GOAWAY that contained <a href="#NO_ERROR" class="xref">NO_ERROR</a>.<a href="#section-5.4-5" class="pilcrow">¶</a></p>
<p id="section-5.4-6">If an endpoint detects multiple different errors, it <span class="bcp14">MAY</span> choose to report any one of those
          errors. If a frame causes a connection error, that error <span class="bcp14">MUST</span> be reported.  Additionally,
          an endpoint <span class="bcp14">MAY</span> use any applicable error code when it detects an error condition; a
          generic error code (such as <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a> or <a href="#INTERNAL_ERROR" class="xref">INTERNAL_ERROR</a>) can always be used in place of more specific error
          codes.<a href="#section-5.4-6" class="pilcrow">¶</a></p>
<div id="ConnectionErrorHandler">
<section id="section-5.4.1">
          <h4 id="name-connection-error-handling">
<a href="#section-5.4.1" class="section-number selfRef">5.4.1. </a><a href="#name-connection-error-handling" class="section-name selfRef">Connection Error Handling</a>
          </h4>
<p id="section-5.4.1-1">A connection error is any error that prevents further processing of the frame
            layer or corrupts any connection state.<a href="#section-5.4.1-1" class="pilcrow">¶</a></p>
<p id="section-5.4.1-2">An endpoint that encounters a connection error <span class="bcp14">SHOULD</span> first send a <a href="#GOAWAY" class="xref">GOAWAY</a>
            frame (<a href="#GOAWAY" class="xref">Section 6.8</a>) with the stream identifier of the last stream that it
            successfully received from its peer.  The <a href="#GOAWAY" class="xref">GOAWAY</a> frame includes an <span><a href="#ErrorCodes" class="xref">error
            code</a> (<a href="#ErrorCodes" class="xref">Section 7</a>)</span> that indicates why the connection is terminating.  After sending the
            <a href="#GOAWAY" class="xref">GOAWAY</a> frame for an error condition, the endpoint <span class="bcp14">MUST</span> close the TCP
            connection.<a href="#section-5.4.1-2" class="pilcrow">¶</a></p>
<p id="section-5.4.1-3">It is possible that the <a href="#GOAWAY" class="xref">GOAWAY</a> will not be reliably received by the
            receiving endpoint.  In the event of a connection error,
            <a href="#GOAWAY" class="xref">GOAWAY</a> only provides a best-effort attempt to communicate with the peer
            about why the connection is being terminated.<a href="#section-5.4.1-3" class="pilcrow">¶</a></p>
<p id="section-5.4.1-4">An endpoint can end a connection at any time.  In particular, an endpoint <span class="bcp14">MAY</span> choose to
            treat a stream error as a connection error.  Endpoints <span class="bcp14">SHOULD</span> send a
            <a href="#GOAWAY" class="xref">GOAWAY</a> frame when ending a connection, providing that circumstances
            permit it.<a href="#section-5.4.1-4" class="pilcrow">¶</a></p>
</section>
</div>
<div id="StreamErrorHandler">
<section id="section-5.4.2">
          <h4 id="name-stream-error-handling">
<a href="#section-5.4.2" class="section-number selfRef">5.4.2. </a><a href="#name-stream-error-handling" class="section-name selfRef">Stream Error Handling</a>
          </h4>
<p id="section-5.4.2-1">A stream error is an error related to a specific stream that does not affect processing
            of other streams.<a href="#section-5.4.2-1" class="pilcrow">¶</a></p>
<p id="section-5.4.2-2">An endpoint that detects a stream error sends a <a href="#RST_STREAM" class="xref">RST_STREAM</a> frame (<a href="#RST_STREAM" class="xref">Section 6.4</a>) that contains the stream identifier of the stream where the error
            occurred.  The <a href="#RST_STREAM" class="xref">RST_STREAM</a> frame includes an error code that indicates the
            type of error.<a href="#section-5.4.2-2" class="pilcrow">¶</a></p>
<p id="section-5.4.2-3">A <a href="#RST_STREAM" class="xref">RST_STREAM</a> is the last frame that an endpoint can send on a stream.
            The peer that sends the <a href="#RST_STREAM" class="xref">RST_STREAM</a> frame <span class="bcp14">MUST</span> be prepared to receive any
            frames that were sent or enqueued for sending by the remote peer.  These frames can be
            ignored, except where they modify connection state (such as the state maintained for
            <span><a href="#FieldBlock" class="xref">field section compression</a> (<a href="#FieldBlock" class="xref">Section 4.3</a>)</span> or flow control).<a href="#section-5.4.2-3" class="pilcrow">¶</a></p>
<p id="section-5.4.2-4">Normally, an endpoint <span class="bcp14">SHOULD NOT</span> send more than one <a href="#RST_STREAM" class="xref">RST_STREAM</a> frame for
            any stream. However, an endpoint <span class="bcp14">MAY</span> send additional <a href="#RST_STREAM" class="xref">RST_STREAM</a> frames if
            it receives frames on a closed stream after more than a round-trip time.  This behavior
            is permitted to deal with misbehaving implementations.<a href="#section-5.4.2-4" class="pilcrow">¶</a></p>
<p id="section-5.4.2-5">To avoid looping, an endpoint <span class="bcp14">MUST NOT</span> send a <a href="#RST_STREAM" class="xref">RST_STREAM</a> in response to a
            <a href="#RST_STREAM" class="xref">RST_STREAM</a> frame.<a href="#section-5.4.2-5" class="pilcrow">¶</a></p>
</section>
</div>
<section id="section-5.4.3">
          <h4 id="name-connection-termination">
<a href="#section-5.4.3" class="section-number selfRef">5.4.3. </a><a href="#name-connection-termination" class="section-name selfRef">Connection Termination</a>
          </h4>
<p id="section-5.4.3-1">If the TCP connection is closed or reset while streams remain in the "open" or "half-closed"
            states, then the affected streams cannot be automatically retried (see <a href="#Reliability" class="xref">Section 8.7</a> for details).<a href="#section-5.4.3-1" class="pilcrow">¶</a></p>
</section>
</section>
</div>
<div id="extensibility">
<section id="section-5.5">
        <h3 id="name-extending-http-2">
<a href="#section-5.5" class="section-number selfRef">5.5. </a><a href="#name-extending-http-2" class="section-name selfRef">Extending HTTP/2</a>
        </h3>
<p id="section-5.5-1">HTTP/2 permits extension of the protocol.  Within the limitations described in this
          section, protocol extensions can be used to provide additional services or alter
          any aspect of the protocol. Extensions are effective only within the scope of a single HTTP/2
          connection.<a href="#section-5.5-1" class="pilcrow">¶</a></p>
<p id="section-5.5-2">This applies to the protocol elements defined in this document.  This does not affect the
          existing options for extending HTTP, such as defining new methods, status codes, or fields
          (see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-16" class="relref">Section 16</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>).<a href="#section-5.5-2" class="pilcrow">¶</a></p>
<p id="section-5.5-3">Extensions are permitted to use new <span><a href="#FrameHeader" class="xref">frame types</a> (<a href="#FrameHeader" class="xref">Section 4.1</a>)</span>, new
          <span><a href="#SETTINGS" class="xref">settings</a> (<a href="#SETTINGS" class="xref">Section 6.5</a>)</span>, or new <span><a href="#ErrorCodes" class="xref">error
          codes</a> (<a href="#ErrorCodes" class="xref">Section 7</a>)</span>.  Registries for managing these extension points are defined in <span><a href="https://www.rfc-editor.org/rfc/rfc7540#section-11" class="relref">Section 11</a> of [<a href="#RFC7540" class="xref">RFC7540</a>]</span>.<a href="#section-5.5-3" class="pilcrow">¶</a></p>
<p id="section-5.5-4">Implementations <span class="bcp14">MUST</span> ignore unknown or unsupported values in all extensible protocol
          elements.  Implementations <span class="bcp14">MUST</span> discard frames that have unknown or unsupported types.
          This means that any of these extension points can be safely used by extensions without
          prior arrangement or negotiation.  However, extension frames that appear in the middle of
          a <span><a href="#FieldBlock" class="xref">field block</a> (<a href="#FieldBlock" class="xref">Section 4.3</a>)</span> are not permitted; these <span class="bcp14">MUST</span> be treated
          as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-5.5-4" class="pilcrow">¶</a></p>
<p id="section-5.5-5">Extensions <span class="bcp14">SHOULD</span> avoid changing protocol elements defined in this document or
          elements for which no extension mechanism is defined.  This includes changes to the
          layout of frames, additions or changes to the way that frames are composed into <span><a href="#HttpFraming" class="xref">HTTP messages</a> (<a href="#HttpFraming" class="xref">Section 8.1</a>)</span>, the definition of pseudo-header fields, or
          changes to any protocol element that a compliant endpoint might treat as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span>.<a href="#section-5.5-5" class="pilcrow">¶</a></p>
<p id="section-5.5-6">An extension that changes existing protocol elements or state <span class="bcp14">MUST</span> be negotiated before
          being used.  For example, an extension that changes the layout of the <a href="#HEADERS" class="xref">HEADERS</a> frame cannot be used until the peer has
          given a positive signal that this is acceptable.  In this case, it could also be necessary
          to coordinate when the revised layout comes into effect.  For example, treating frames
          other than <a href="#DATA" class="xref">DATA</a> frames as flow controlled
          requires a change in semantics that both endpoints need to understand, so this can only be
          done through negotiation.<a href="#section-5.5-6" class="pilcrow">¶</a></p>
<p id="section-5.5-7">This document doesn't mandate a specific method for negotiating the use of an extension
          but notes that a <span><a href="#SettingValues" class="xref">setting</a> (<a href="#SettingValues" class="xref">Section 6.5.2</a>)</span> could be used for that
          purpose.  If both peers set a value that indicates willingness to use the extension, then
          the extension can be used.  If a setting is used for extension negotiation, the initial
          value <span class="bcp14">MUST</span> be defined in such a fashion that the extension is initially disabled.<a href="#section-5.5-7" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="FrameTypes">
<section id="section-6">
      <h2 id="name-frame-definitions">
<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-frame-definitions" class="section-name selfRef">Frame Definitions</a>
      </h2>
<p id="section-6-1">This specification defines a number of frame types, each identified by a unique 8-bit type
        code. Each frame type serves a distinct purpose in the establishment and management of either
        the connection as a whole or individual streams.<a href="#section-6-1" class="pilcrow">¶</a></p>
<p id="section-6-2">The transmission of specific frame types can alter the state of a connection. If endpoints
        fail to maintain a synchronized view of the connection state, successful communication
        within the connection will no longer be possible. Therefore, it is important that endpoints
        have a shared comprehension of how the state is affected by the use of any given frame.<a href="#section-6-2" class="pilcrow">¶</a></p>
<div id="DATA">
<section id="section-6.1">
        <h3 id="name-data">
<a href="#section-6.1" class="section-number selfRef">6.1. </a><a href="#name-data" class="section-name selfRef">DATA</a>
        </h3>
<p id="section-6.1-1">DATA frames (type=0x00) convey arbitrary, variable-length sequences of octets associated
          with a stream. One or more DATA frames are used, for instance, to carry HTTP request or
          response message contents.<a href="#section-6.1-1" class="pilcrow">¶</a></p>
<p id="section-6.1-2">DATA frames <span class="bcp14">MAY</span> also contain padding.  Padding can be added to DATA frames to obscure the
          size of messages.  Padding is a security feature; see <a href="#padding" class="xref">Section 10.7</a>.<a href="#section-6.1-2" class="pilcrow">¶</a></p>
<span id="name-data-frame-format"></span><div id="DATAFrameFormat">
<figure id="figure-3">
          <div class="alignLeft art-inline art-text artwork" id="section-6.1-3.1">
<pre>
DATA Frame {
  Length (24),
  Type (8) = 0x00,

  Unused Flags (4),
  PADDED Flag (1),
  Unused Flags (2),
  END_STREAM Flag (1),

  Reserved (1),
  Stream Identifier (31),

  [Pad Length (8)],
  Data (..),
  Padding (..2040),
}
</pre>
</div>
<figcaption><a href="#figure-3" class="selfRef">Figure 3</a>:
<a href="#name-data-frame-format" class="selfRef">DATA Frame Format</a>
          </figcaption></figure>
</div>
<p id="section-6.1-4">The Length, Type, Unused Flag(s), Reserved, and Stream Identifier fields are described in <a href="#FramingLayer" class="xref">Section 4</a>.
          The DATA frame contains the following additional fields:<a href="#section-6.1-4" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-6.1-5">
          <dt id="section-6.1-5.1">Pad Length:</dt>
          <dd style="margin-left: 1.5em" id="section-6.1-5.2">An 8-bit field containing the length of the frame padding in units of octets.  This
              field is conditional and is only present if the PADDED flag is set.<a href="#section-6.1-5.2" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-6.1-5.3">Data:</dt>
          <dd style="margin-left: 1.5em" id="section-6.1-5.4">Application data.  The amount of data is the remainder of the frame payload after
              subtracting the length of the other fields that are present.<a href="#section-6.1-5.4" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-6.1-5.5">Padding:</dt>
          <dd style="margin-left: 1.5em" id="section-6.1-5.6">Padding octets that contain no application semantic value.  Padding octets <span class="bcp14">MUST</span> be set
              to zero when sending.  A receiver is not obligated to verify padding but <span class="bcp14">MAY</span> treat
              non-zero padding as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of
              type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.1-5.6" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
</dl>
<p id="section-6.1-6">The DATA frame defines the following flags:<a href="#section-6.1-6" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-6.1-7">
          <dt id="section-6.1-7.1">PADDED (0x08):</dt>
          <dd style="margin-left: 1.5em" id="section-6.1-7.2">When set, the PADDED flag indicates that the Pad Length field and any padding that it describes
              are present.<a href="#section-6.1-7.2" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-6.1-7.3">END_STREAM (0x01):</dt>
          <dd style="margin-left: 1.5em" id="section-6.1-7.4">When set, the END_STREAM flag indicates that this frame is the last that the endpoint will send for
              the identified stream.  Setting this flag causes the stream to enter one of <span><a href="#StreamStates" class="xref">the "half-closed" states or the "closed" state</a> (<a href="#StreamStates" class="xref">Section 5.1</a>)</span>.<a href="#section-6.1-7.4" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
</dl>
<aside id="section-6.1-8">
          <p id="section-6.1-8.1">Note: An endpoint that learns of stream closure after sending all data can close a
            stream by sending a STREAM frame with a zero-length Data field and the END_STREAM flag
            set. This is only possible if the endpoint does not send trailers, as the END_STREAM
            flag appears on a HEADERS frame in that case; see <a href="#HttpFraming" class="xref">Section 8.1</a>.<a href="#section-6.1-8.1" class="pilcrow">¶</a></p>
</aside>
<p id="section-6.1-9">DATA frames <span class="bcp14">MUST</span> be associated with a stream. If a DATA frame is received whose Stream
          Identifier field is 0x00, the recipient <span class="bcp14">MUST</span> respond with a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.1-9" class="pilcrow">¶</a></p>
<p id="section-6.1-10">DATA frames are subject to flow control and can only be sent when a stream is in the
          "open" or "half-closed (remote)" state. The entire DATA frame payload is included in flow
          control, including the Pad Length and Padding fields if present.  If a DATA frame is received
          whose stream is not in the "open" or "half-closed (local)" state, the recipient <span class="bcp14">MUST</span> respond
          with a <span><a href="#StreamErrorHandler" class="xref">stream error</a> (<a href="#StreamErrorHandler" class="xref">Section 5.4.2</a>)</span> of type
          <a href="#STREAM_CLOSED" class="xref">STREAM_CLOSED</a>.<a href="#section-6.1-10" class="pilcrow">¶</a></p>
<p id="section-6.1-11">The total number of padding octets is determined by the value of the Pad Length field. If
          the length of the padding is the length of the frame payload or greater, the recipient
          <span class="bcp14">MUST</span> treat this as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of
          type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.1-11" class="pilcrow">¶</a></p>
<aside id="section-6.1-12">
          <p id="section-6.1-12.1">Note:
            A frame can be increased in size by one octet by including a Pad Length field with a
            value of zero.<a href="#section-6.1-12.1" class="pilcrow">¶</a></p>
</aside>
</section>
</div>
<div id="HEADERS">
<section id="section-6.2">
        <h3 id="name-headers">
<a href="#section-6.2" class="section-number selfRef">6.2. </a><a href="#name-headers" class="section-name selfRef">HEADERS</a>
        </h3>
<p id="section-6.2-1">The HEADERS frame (type=0x01) is used to <span><a href="#StreamStates" class="xref">open a stream</a> (<a href="#StreamStates" class="xref">Section 5.1</a>)</span>,
          and additionally carries a field block fragment. Despite the name, a HEADERS frame can carry
          a header section or a trailer section. HEADERS frames can be sent on a stream
          in the "idle", "reserved (local)", "open", or "half-closed (remote)" state.<a href="#section-6.2-1" class="pilcrow">¶</a></p>
<span id="name-headers-frame-format"></span><div id="HEADERSFrameFormat">
<figure id="figure-4">
          <div class="alignLeft art-inline art-text artwork" id="section-6.2-2.1">
<pre>
HEADERS Frame {
  Length (24),
  Type (8) = 0x01,

  Unused Flags (2),
  PRIORITY Flag (1),
  Unused Flag (1),
  PADDED Flag (1),
  END_HEADERS Flag (1),
  Unused Flag (1),
  END_STREAM Flag (1),

  Reserved (1),
  Stream Identifier (31),

  [Pad Length (8)],
  [Exclusive (1)],
  [Stream Dependency (31)],
  [Weight (8)],
  Field Block Fragment (..),
  Padding (..2040),
}
</pre>
</div>
<figcaption><a href="#figure-4" class="selfRef">Figure 4</a>:
<a href="#name-headers-frame-format" class="selfRef">HEADERS Frame Format</a>
          </figcaption></figure>
</div>
<p id="section-6.2-3">The Length, Type, Unused Flag(s), Reserved, and Stream Identifier fields are described in <a href="#FramingLayer" class="xref">Section 4</a>.
          The HEADERS frame payload has the following additional fields:<a href="#section-6.2-3" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-6.2-4">
          <dt id="section-6.2-4.1">Pad Length:</dt>
          <dd style="margin-left: 1.5em" id="section-6.2-4.2">An 8-bit field containing the length of the frame padding in units of octets.  This
            field is only present if the PADDED flag is set.<a href="#section-6.2-4.2" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-6.2-4.3">Exclusive:</dt>
          <dd style="margin-left: 1.5em" id="section-6.2-4.4">A single-bit flag.  This field is only present if the PRIORITY flag is set.  Priority
            signals in HEADERS frames are deprecated; see <a href="#PriorityHere" class="xref">Section 5.3.2</a>.<a href="#section-6.2-4.4" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-6.2-4.5">Stream Dependency:</dt>
          <dd style="margin-left: 1.5em" id="section-6.2-4.6">A 31-bit stream identifier.  This field is only present if the PRIORITY flag is set.<a href="#section-6.2-4.6" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-6.2-4.7">Weight:</dt>
          <dd style="margin-left: 1.5em" id="section-6.2-4.8">An unsigned 8-bit integer.  This field is only present if the PRIORITY flag is set.<a href="#section-6.2-4.8" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-6.2-4.9">Field Block Fragment:</dt>
          <dd style="margin-left: 1.5em" id="section-6.2-4.10">A <span><a href="#FieldBlock" class="xref">field block fragment</a> (<a href="#FieldBlock" class="xref">Section 4.3</a>)</span>.<a href="#section-6.2-4.10" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-6.2-4.11">Padding:</dt>
          <dd style="margin-left: 1.5em" id="section-6.2-4.12">Padding octets that contain no application semantic value.  Padding octets <span class="bcp14">MUST</span> be set
              to zero when sending.  A receiver is not obligated to verify padding but <span class="bcp14">MAY</span> treat
              non-zero padding as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of
              type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.2-4.12" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
</dl>
<p id="section-6.2-5">The HEADERS frame defines the following flags:<a href="#section-6.2-5" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-6.2-6">
          <dt id="section-6.2-6.1">PRIORITY (0x20):</dt>
          <dd style="margin-left: 1.5em" id="section-6.2-6.2">
            <p id="section-6.2-6.2.1">When set, the PRIORITY flag indicates that the Exclusive, Stream Dependency, and Weight
              fields are present.<a href="#section-6.2-6.2.1" class="pilcrow">¶</a></p>
</dd>
          <dd class="break"></dd>
<dt id="section-6.2-6.3">PADDED (0x08):</dt>
          <dd style="margin-left: 1.5em" id="section-6.2-6.4">
            <p id="section-6.2-6.4.1">When set, the PADDED flag indicates that the Pad Length field and any padding that it
                describes are present.<a href="#section-6.2-6.4.1" class="pilcrow">¶</a></p>
</dd>
          <dd class="break"></dd>
<dt id="section-6.2-6.5">END_HEADERS (0x04):</dt>
          <dd style="margin-left: 1.5em" id="section-6.2-6.6">
            <p id="section-6.2-6.6.1">When set, the END_HEADERS flag indicates that this frame contains an entire <span><a href="#FieldBlock" class="xref">field block</a> (<a href="#FieldBlock" class="xref">Section 4.3</a>)</span> and is not followed by any
                <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames.<a href="#section-6.2-6.6.1" class="pilcrow">¶</a></p>
<p id="section-6.2-6.6.2">A HEADERS frame without the END_HEADERS flag set <span class="bcp14">MUST</span> be followed by a
                <a href="#CONTINUATION" class="xref">CONTINUATION</a> frame for the same stream.  A receiver <span class="bcp14">MUST</span> treat the
                receipt of any other type of frame or a frame on a different stream as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
                <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.2-6.6.2" class="pilcrow">¶</a></p>
</dd>
          <dd class="break"></dd>
<dt id="section-6.2-6.7">END_STREAM (0x01):</dt>
          <dd style="margin-left: 1.5em" id="section-6.2-6.8">
            <p id="section-6.2-6.8.1">When set, the END_STREAM flag indicates that the <span><a href="#FieldBlock" class="xref">field block</a> (<a href="#FieldBlock" class="xref">Section 4.3</a>)</span> is
                the last that the endpoint will send for the identified stream.<a href="#section-6.2-6.8.1" class="pilcrow">¶</a></p>
<p id="section-6.2-6.8.2">A HEADERS frame with the END_STREAM flag set signals the end of a stream.
                However, a HEADERS frame with the END_STREAM flag set can be followed by
                <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames on the same stream.  Logically, the
                <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames are part of the HEADERS frame.<a href="#section-6.2-6.8.2" class="pilcrow">¶</a></p>
</dd>
        <dd class="break"></dd>
</dl>
<p id="section-6.2-7">The frame payload of a HEADERS frame contains a <span><a href="#FieldBlock" class="xref">field block
          fragment</a> (<a href="#FieldBlock" class="xref">Section 4.3</a>)</span>.  A field block that does not fit within a HEADERS frame is continued in
          a <span><a href="#CONTINUATION" class="xref">CONTINUATION frame</a> (<a href="#CONTINUATION" class="xref">Section 6.10</a>)</span>.<a href="#section-6.2-7" class="pilcrow">¶</a></p>
<p id="section-6.2-8">HEADERS frames <span class="bcp14">MUST</span> be associated with a stream. If a HEADERS frame is received whose
          Stream Identifier field is 0x00, the recipient <span class="bcp14">MUST</span> respond with a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.2-8" class="pilcrow">¶</a></p>
<p id="section-6.2-9">The HEADERS frame changes the connection state as described in <a href="#FieldBlock" class="xref">Section 4.3</a>.<a href="#section-6.2-9" class="pilcrow">¶</a></p>
<p id="section-6.2-10">The total number of padding octets is determined by the value of the Pad Length field.  If
          the length of the padding is the length of the frame payload or greater, the recipient
          <span class="bcp14">MUST</span> treat this as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of
          type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.2-10" class="pilcrow">¶</a></p>
<aside id="section-6.2-11">
          <p id="section-6.2-11.1">Note:
            A frame can be increased in size by one octet by including a Pad Length field with a
            value of zero.<a href="#section-6.2-11.1" class="pilcrow">¶</a></p>
</aside>
</section>
</div>
<div id="PRIORITY">
<section id="section-6.3">
        <h3 id="name-priority">
<a href="#section-6.3" class="section-number selfRef">6.3. </a><a href="#name-priority" class="section-name selfRef">PRIORITY</a>
        </h3>
<p id="section-6.3-1">The PRIORITY frame (type=0x02) is deprecated; see <a href="#PriorityHere" class="xref">Section 5.3.2</a>.  A
          PRIORITY frame can be sent in any stream state, including idle or closed streams.<a href="#section-6.3-1" class="pilcrow">¶</a></p>
<span id="name-priority-frame-format"></span><div id="PRIORITYFrameFormat">
<figure id="figure-5">
          <div class="alignLeft art-inline art-text artwork" id="section-6.3-2.1">
<pre>
PRIORITY Frame {
  Length (24) = 0x05,
  Type (8) = 0x02,

  Unused Flags (8),

  Reserved (1),
  Stream Identifier (31),

  Exclusive (1),
  Stream Dependency (31),
  Weight (8),
}
</pre>
</div>
<figcaption><a href="#figure-5" class="selfRef">Figure 5</a>:
<a href="#name-priority-frame-format" class="selfRef">PRIORITY Frame Format</a>
          </figcaption></figure>
</div>
<p id="section-6.3-3">The Length, Type, Unused Flag(s), Reserved, and Stream Identifier fields are described in <a href="#FramingLayer" class="xref">Section 4</a>.
          The frame payload of a PRIORITY frame contains the following additional fields:<a href="#section-6.3-3" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-6.3-4">
          <dt id="section-6.3-4.1">Exclusive:</dt>
          <dd style="margin-left: 1.5em" id="section-6.3-4.2">A single-bit flag.<a href="#section-6.3-4.2" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-6.3-4.3">Stream Dependency:</dt>
          <dd style="margin-left: 1.5em" id="section-6.3-4.4">A 31-bit stream identifier.<a href="#section-6.3-4.4" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-6.3-4.5">Weight:</dt>
          <dd style="margin-left: 1.5em" id="section-6.3-4.6">An unsigned 8-bit integer.<a href="#section-6.3-4.6" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
</dl>
<p id="section-6.3-5">The PRIORITY frame does not define any flags.<a href="#section-6.3-5" class="pilcrow">¶</a></p>
<p id="section-6.3-6">The PRIORITY frame always identifies a stream.  If a PRIORITY frame is received with a
          stream identifier of 0x00, the recipient <span class="bcp14">MUST</span> respond with a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.3-6" class="pilcrow">¶</a></p>
<p id="section-6.3-7">Sending or receiving a PRIORITY frame does not affect the state of any stream (<a href="#StreamStates" class="xref">Section 5.1</a>).  The PRIORITY frame can be sent on a stream in any state,
          including "idle" or "closed".  A PRIORITY frame cannot be sent between consecutive frames
          that comprise a single <span><a href="#FieldBlock" class="xref">field block</a> (<a href="#FieldBlock" class="xref">Section 4.3</a>)</span>.<a href="#section-6.3-7" class="pilcrow">¶</a></p>
<p id="section-6.3-8">A PRIORITY frame with a length other than 5 octets <span class="bcp14">MUST</span> be treated as a <span><a href="#StreamErrorHandler" class="xref">stream error</a> (<a href="#StreamErrorHandler" class="xref">Section 5.4.2</a>)</span> of type <a href="#FRAME_SIZE_ERROR" class="xref">FRAME_SIZE_ERROR</a>.<a href="#section-6.3-8" class="pilcrow">¶</a></p>
</section>
</div>
<div id="RST_STREAM">
<section id="section-6.4">
        <h3 id="name-rst_stream">
<a href="#section-6.4" class="section-number selfRef">6.4. </a><a href="#name-rst_stream" class="section-name selfRef">RST_STREAM</a>
        </h3>
<p id="section-6.4-1">The RST_STREAM frame (type=0x03) allows for immediate termination of a stream.  RST_STREAM
          is sent to request cancellation of a stream or to indicate that an error condition has
          occurred.<a href="#section-6.4-1" class="pilcrow">¶</a></p>
<span id="name-rst_stream-frame-format"></span><div id="RST_STREAMFrameFormat">
<figure id="figure-6">
          <div class="alignLeft art-inline art-text artwork" id="section-6.4-2.1">
<pre>
RST_STREAM Frame {
  Length (24) = 0x04,
  Type (8) = 0x03,

  Unused Flags (8),

  Reserved (1),
  Stream Identifier (31),

  Error Code (32),
}
</pre>
</div>
<figcaption><a href="#figure-6" class="selfRef">Figure 6</a>:
<a href="#name-rst_stream-frame-format" class="selfRef">RST_STREAM Frame Format</a>
          </figcaption></figure>
</div>
<p id="section-6.4-3">The Length, Type, Unused Flag(s), Reserved, and Stream Identifier fields are described in <a href="#FramingLayer" class="xref">Section 4</a>.
          Additionally, the RST_STREAM frame contains a single unsigned, 32-bit integer identifying the <span><a href="#ErrorCodes" class="xref">error code</a> (<a href="#ErrorCodes" class="xref">Section 7</a>)</span>.  The error code indicates why the stream is being
          terminated.<a href="#section-6.4-3" class="pilcrow">¶</a></p>
<p id="section-6.4-4">The RST_STREAM frame does not define any flags.<a href="#section-6.4-4" class="pilcrow">¶</a></p>
<p id="section-6.4-5">The RST_STREAM frame fully terminates the referenced stream and causes it to enter the
          "closed" state. After receiving a RST_STREAM on a stream, the receiver <span class="bcp14">MUST NOT</span> send
          additional frames for that stream, except for <a href="#PRIORITY" class="xref">PRIORITY</a>. However,
          after sending the RST_STREAM, the sending endpoint <span class="bcp14">MUST</span> be prepared to receive and process
          additional frames sent on the stream that might have been sent by the peer prior to the
          arrival of the RST_STREAM.<a href="#section-6.4-5" class="pilcrow">¶</a></p>
<p id="section-6.4-6">RST_STREAM frames <span class="bcp14">MUST</span> be associated with a stream.  If a RST_STREAM frame is received
          with a stream identifier of 0x00, the recipient <span class="bcp14">MUST</span> treat this as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.4-6" class="pilcrow">¶</a></p>
<p id="section-6.4-7">RST_STREAM frames <span class="bcp14">MUST NOT</span> be sent for a stream in the "idle" state.  If a RST_STREAM
          frame identifying an idle stream is received, the recipient <span class="bcp14">MUST</span> treat this as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.4-7" class="pilcrow">¶</a></p>
<p id="section-6.4-8">A RST_STREAM frame with a length other than 4 octets <span class="bcp14">MUST</span> be treated as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#FRAME_SIZE_ERROR" class="xref">FRAME_SIZE_ERROR</a>.<a href="#section-6.4-8" class="pilcrow">¶</a></p>
</section>
</div>
<div id="SETTINGS">
<section id="section-6.5">
        <h3 id="name-settings">
<a href="#section-6.5" class="section-number selfRef">6.5. </a><a href="#name-settings" class="section-name selfRef">SETTINGS</a>
        </h3>
<p id="section-6.5-1">The SETTINGS frame (type=0x04) conveys configuration parameters that affect how endpoints
          communicate, such as preferences and constraints on peer behavior.  The SETTINGS frame is
          also used to acknowledge the receipt of those settings.  Individually, a configuration
          parameter from a SETTINGS frame is referred to as a "setting".<a href="#section-6.5-1" class="pilcrow">¶</a></p>
<p id="section-6.5-2">Settings are not negotiated; they describe characteristics of the sending peer,
          which are used by the receiving peer. Different values for the same setting can be
          advertised by each peer. For example, a client might set a high initial flow-control
          window, whereas a server might set a lower value to conserve resources.<a href="#section-6.5-2" class="pilcrow">¶</a></p>
<p id="section-6.5-3">A SETTINGS frame <span class="bcp14">MUST</span> be sent by both endpoints at the start of a connection and <span class="bcp14">MAY</span> be
          sent at any other time by either endpoint over the lifetime of the connection.
          Implementations <span class="bcp14">MUST</span> support all of the settings defined by this specification.<a href="#section-6.5-3" class="pilcrow">¶</a></p>
<p id="section-6.5-4">Each parameter in a SETTINGS frame replaces any existing value for that parameter.
          Settings are processed in the order in which they appear, and a receiver of a SETTINGS
          frame does not need to maintain any state other than the current value of each setting.
          Therefore, the value of a SETTINGS parameter is the last value that is seen by
          a receiver.<a href="#section-6.5-4" class="pilcrow">¶</a></p>
<p id="section-6.5-5">SETTINGS frames are acknowledged by the receiving peer. To enable this, the SETTINGS
          frame defines the ACK flag:<a href="#section-6.5-5" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-6.5-6">
          <dt id="section-6.5-6.1">ACK (0x01):</dt>
          <dd style="margin-left: 1.5em" id="section-6.5-6.2">When set, the ACK flag indicates that this frame acknowledges receipt and application of the
              peer's SETTINGS frame.  When this bit is set, the frame payload of the SETTINGS frame <span class="bcp14">MUST</span>
              be empty.  Receipt of a SETTINGS frame with the ACK flag set and a length field value
              other than 0 <span class="bcp14">MUST</span> be treated as a <span><a href="#ConnectionErrorHandler" class="xref">connection
              error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type <a href="#FRAME_SIZE_ERROR" class="xref">FRAME_SIZE_ERROR</a>.  For more information, see <a href="#SettingsSync" class="xref">Section 6.5.3</a> ("<a href="#SettingsSync" class="xref">Settings Synchronization</a>").<a href="#section-6.5-6.2" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
</dl>
<p id="section-6.5-7">SETTINGS frames always apply to a connection, never a single stream.  The stream
          identifier for a SETTINGS frame <span class="bcp14">MUST</span> be zero (0x00). If an endpoint receives a SETTINGS
          frame whose Stream Identifier field is anything other than 0x00, the endpoint <span class="bcp14">MUST</span> respond
          with a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.5-7" class="pilcrow">¶</a></p>
<p id="section-6.5-8">The SETTINGS frame affects connection state.  A badly formed or incomplete SETTINGS frame
          <span class="bcp14">MUST</span> be treated as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.5-8" class="pilcrow">¶</a></p>
<p id="section-6.5-9">A SETTINGS frame with a length other than a multiple of 6 octets <span class="bcp14">MUST</span> be treated as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#FRAME_SIZE_ERROR" class="xref">FRAME_SIZE_ERROR</a>.<a href="#section-6.5-9" class="pilcrow">¶</a></p>
<div id="SettingFormat">
<section id="section-6.5.1">
          <h4 id="name-settings-format">
<a href="#section-6.5.1" class="section-number selfRef">6.5.1. </a><a href="#name-settings-format" class="section-name selfRef">SETTINGS Format</a>
          </h4>
<p id="section-6.5.1-1">The frame payload of a SETTINGS frame consists of zero or more settings, each consisting of
            an unsigned 16-bit setting identifier and an unsigned 32-bit value.<a href="#section-6.5.1-1" class="pilcrow">¶</a></p>
<span id="name-settings-frame-format"></span><div id="SettingFrameFormat">
<figure id="figure-7">
            <div class="alignLeft art-inline art-text artwork" id="section-6.5.1-2.1">
<pre>
SETTINGS Frame {
  Length (24),
  Type (8) = 0x04,

  Unused Flags (7),
  ACK Flag (1),

  Reserved (1),
  Stream Identifier (31) = 0,

  Setting (48) ...,
}

Setting {
  Identifier (16),
  Value (32),
}
</pre>
</div>
<figcaption><a href="#figure-7" class="selfRef">Figure 7</a>:
<a href="#name-settings-frame-format" class="selfRef">SETTINGS Frame Format</a>
            </figcaption></figure>
</div>
<p id="section-6.5.1-3">The Length, Type, Unused Flag(s), Reserved, and Stream Identifier fields are described
            in <a href="#FramingLayer" class="xref">Section 4</a>.  The frame payload of a SETTINGS frame contains any
            number of Setting fields, each of which consists of:<a href="#section-6.5.1-3" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-6.5.1-4">
            <dt id="section-6.5.1-4.1">Identifier:</dt>
            <dd style="margin-left: 1.5em" id="section-6.5.1-4.2">A 16-bit setting identifier; see <a href="#SettingValues" class="xref">Section 6.5.2</a>.<a href="#section-6.5.1-4.2" class="pilcrow">¶</a>
</dd>
            <dd class="break"></dd>
<dt id="section-6.5.1-4.3">Value:</dt>
            <dd style="margin-left: 1.5em" id="section-6.5.1-4.4">A 32-bit value for the setting.<a href="#section-6.5.1-4.4" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
</dl>
</section>
</div>
<div id="SettingValues">
<section id="section-6.5.2">
          <h4 id="name-defined-settings">
<a href="#section-6.5.2" class="section-number selfRef">6.5.2. </a><a href="#name-defined-settings" class="section-name selfRef">Defined Settings</a>
          </h4>
<p id="section-6.5.2-1">The following settings are defined:<a href="#section-6.5.2-1" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-6.5.2-2">
            <dt id="section-6.5.2-2.1">
<div id="SETTINGS_HEADER_TABLE_SIZE">SETTINGS_HEADER_TABLE_SIZE (0x01):</div>
            </dt>
<dd style="margin-left: 1.5em" id="section-6.5.2-2.2">
              <p id="section-6.5.2-2.2.1">This setting allows the sender to inform the remote endpoint of the maximum size of the
                  compression table used to decode field blocks, in units of octets. The encoder can select
                  any size equal to or less than this value by using signaling specific to the
                  compression format inside a field block (see <span>[<a href="#RFC7541" class="xref">COMPRESSION</a>]</span>). The initial value is 4,096 octets.<a href="#section-6.5.2-2.2.1" class="pilcrow">¶</a></p>
</dd>
            <dd class="break"></dd>
<dt id="section-6.5.2-2.3">
<div id="SETTINGS_ENABLE_PUSH">SETTINGS_ENABLE_PUSH (0x02):</div>
            </dt>
<dd style="margin-left: 1.5em" id="section-6.5.2-2.4">
              <p id="section-6.5.2-2.4.1">This setting can be used to enable or disable server push.  A server <span class="bcp14">MUST NOT</span> send a
                <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame if it receives
                this parameter set to a value of 0; see <a href="#PushResources" class="xref">Section 8.4</a>. A client
                that has both set this parameter to 0 and had it acknowledged <span class="bcp14">MUST</span> treat the receipt
                of a <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.5.2-2.4.1" class="pilcrow">¶</a></p>
<p id="section-6.5.2-2.4.2">The initial value of SETTINGS_ENABLE_PUSH is 1.  For a client, this value indicates that it
                is willing to receive PUSH_PROMISE frames.  For a server, this initial value has no effect, and
                is equivalent to the value 0.  Any value other than 0 or 1 <span class="bcp14">MUST</span> be treated as a
                <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
                <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.5.2-2.4.2" class="pilcrow">¶</a></p>
<p id="section-6.5.2-2.4.3">A server <span class="bcp14">MUST NOT</span> explicitly set this value to 1.  A server <span class="bcp14">MAY</span> choose to omit this
                setting when it sends a SETTINGS frame, but if a server does include a value, it <span class="bcp14">MUST</span>
                be 0.  A client <span class="bcp14">MUST</span> treat receipt of a SETTINGS frame with SETTINGS_ENABLE_PUSH set
                to 1 as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
                <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.5.2-2.4.3" class="pilcrow">¶</a></p>
</dd>
            <dd class="break"></dd>
<dt id="section-6.5.2-2.5">
<div id="SETTINGS_MAX_CONCURRENT_STREAMS">SETTINGS_MAX_CONCURRENT_STREAMS (0x03):</div>
            </dt>
<dd style="margin-left: 1.5em" id="section-6.5.2-2.6">
              <p id="section-6.5.2-2.6.1">This setting indicates the maximum number of concurrent streams that the sender will allow.
                  This limit is directional: it applies to the number of streams that the sender
                  permits the receiver to create. Initially, there is no limit to this value.  It is
                  recommended that this value be no smaller than 100, so as to not unnecessarily
                  limit parallelism.<a href="#section-6.5.2-2.6.1" class="pilcrow">¶</a></p>
<p id="section-6.5.2-2.6.2">A value of 0 for SETTINGS_MAX_CONCURRENT_STREAMS <span class="bcp14">SHOULD NOT</span> be treated as special
                  by endpoints.  A zero value does prevent the creation of new streams; however, this
                  can also happen for any limit that is exhausted with active streams.  Servers
                  <span class="bcp14">SHOULD</span> only set a zero value for short durations; if a server does not wish to
                  accept requests, closing the connection is more appropriate.<a href="#section-6.5.2-2.6.2" class="pilcrow">¶</a></p>
</dd>
            <dd class="break"></dd>
<dt id="section-6.5.2-2.7">
<div id="SETTINGS_INITIAL_WINDOW_SIZE">SETTINGS_INITIAL_WINDOW_SIZE (0x04):</div>
            </dt>
<dd style="margin-left: 1.5em" id="section-6.5.2-2.8">
              <p id="section-6.5.2-2.8.1">This setting indicates the sender's initial window size (in units of octets) for stream-level flow
                  control.  The initial value is 2<sup>16</sup>-1 (65,535) octets.<a href="#section-6.5.2-2.8.1" class="pilcrow">¶</a></p>
<p id="section-6.5.2-2.8.2">This setting affects the window size of all streams (see <a href="#InitialWindowSize" class="xref">Section 6.9.2</a>).<a href="#section-6.5.2-2.8.2" class="pilcrow">¶</a></p>
<p id="section-6.5.2-2.8.3">Values above the maximum flow-control window size of 2<sup>31</sup>-1 <span class="bcp14">MUST</span>
                  be treated as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of
                  type <a href="#FLOW_CONTROL_ERROR" class="xref">FLOW_CONTROL_ERROR</a>.<a href="#section-6.5.2-2.8.3" class="pilcrow">¶</a></p>
</dd>
            <dd class="break"></dd>
<dt id="section-6.5.2-2.9">
<div id="SETTINGS_MAX_FRAME_SIZE">SETTINGS_MAX_FRAME_SIZE (0x05):</div>
            </dt>
<dd style="margin-left: 1.5em" id="section-6.5.2-2.10">
              <p id="section-6.5.2-2.10.1">This setting indicates the size of the largest frame payload that the sender is willing to
                  receive, in units of octets.<a href="#section-6.5.2-2.10.1" class="pilcrow">¶</a></p>
<p id="section-6.5.2-2.10.2">The initial value is 2<sup>14</sup> (16,384) octets.  The value advertised by
                  an endpoint <span class="bcp14">MUST</span> be between this initial value and the maximum allowed frame size
                  (2<sup>24</sup>-1 or 16,777,215 octets), inclusive.  Values outside this range
                  <span class="bcp14">MUST</span> be treated as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span>
                  of type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.5.2-2.10.2" class="pilcrow">¶</a></p>
</dd>
            <dd class="break"></dd>
<dt id="section-6.5.2-2.11">
<div id="SETTINGS_MAX_HEADER_LIST_SIZE">SETTINGS_MAX_HEADER_LIST_SIZE (0x06):</div>
            </dt>
<dd style="margin-left: 1.5em" id="section-6.5.2-2.12">
              <p id="section-6.5.2-2.12.1">This advisory setting informs a peer of the maximum field section size that the
                  sender is prepared to accept, in units of octets. The value is based on the uncompressed
                  size of field lines, including the length of the name and value in units of octets plus
                  an overhead of 32 octets for each field line.<a href="#section-6.5.2-2.12.1" class="pilcrow">¶</a></p>
<p id="section-6.5.2-2.12.2">For any given request, a lower limit than what is advertised <span class="bcp14">MAY</span> be enforced.  The
                  initial value of this setting is unlimited.<a href="#section-6.5.2-2.12.2" class="pilcrow">¶</a></p>
</dd>
          <dd class="break"></dd>
</dl>
<p id="section-6.5.2-3">An endpoint that receives a SETTINGS frame with any unknown or unsupported identifier
            <span class="bcp14">MUST</span> ignore that setting.<a href="#section-6.5.2-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="SettingsSync">
<section id="section-6.5.3">
          <h4 id="name-settings-synchronization">
<a href="#section-6.5.3" class="section-number selfRef">6.5.3. </a><a href="#name-settings-synchronization" class="section-name selfRef">Settings Synchronization</a>
          </h4>
<p id="section-6.5.3-1">Most values in SETTINGS benefit from or require an understanding of when the peer has
            received and applied the changed parameter values. In order to provide such
            synchronization timepoints, the recipient of a SETTINGS frame in which the ACK flag is
            not set <span class="bcp14">MUST</span> apply the updated settings as soon as possible upon receipt.  SETTINGS
            frames are acknowledged in the order in which they are received.<a href="#section-6.5.3-1" class="pilcrow">¶</a></p>
<p id="section-6.5.3-2">The values in the SETTINGS frame <span class="bcp14">MUST</span> be processed in the order they appear, with no
            other frame processing between values.  Unsupported settings <span class="bcp14">MUST</span> be ignored.  Once
            all values have been processed, the recipient <span class="bcp14">MUST</span> immediately emit a SETTINGS frame
            with the ACK flag set. Upon receiving a SETTINGS frame with the ACK flag set, the sender
            of the altered settings can rely on the values from the oldest unacknowledged SETTINGS frame
            having been applied.<a href="#section-6.5.3-2" class="pilcrow">¶</a></p>
<p id="section-6.5.3-3">If the sender of a SETTINGS frame does not receive an acknowledgment within a
            reasonable amount of time, it <span class="bcp14">MAY</span> issue a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type <a href="#SETTINGS_TIMEOUT" class="xref">SETTINGS_TIMEOUT</a>. In setting a timeout,
            some allowance needs to be made for processing delays at the peer; a timeout that is
            solely based on the round-trip time between endpoints might result in spurious errors.<a href="#section-6.5.3-3" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="PUSH_PROMISE">
<section id="section-6.6">
        <h3 id="name-push_promise">
<a href="#section-6.6" class="section-number selfRef">6.6. </a><a href="#name-push_promise" class="section-name selfRef">PUSH_PROMISE</a>
        </h3>
<p id="section-6.6-1">The PUSH_PROMISE frame (type=0x05) is used to notify the peer endpoint in advance of
          streams the sender intends to initiate.  The PUSH_PROMISE frame includes the unsigned
          31-bit identifier of the stream the endpoint plans to create along with a field section
          that provides additional context for the stream.  <a href="#PushResources" class="xref">Section 8.4</a> contains a
          thorough description of the use of PUSH_PROMISE frames.<a href="#section-6.6-1" class="pilcrow">¶</a></p>
<span id="name-push_promise-frame-format"></span><div id="PUSH_PROMISEFrameFormat">
<figure id="figure-8">
          <div class="alignLeft art-inline art-text artwork" id="section-6.6-2.1">
<pre>
PUSH_PROMISE Frame {
  Length (24),
  Type (8) = 0x05,

  Unused Flags (4),
  PADDED Flag (1),
  END_HEADERS Flag (1),
  Unused Flags (2),

  Reserved (1),
  Stream Identifier (31),

  [Pad Length (8)],
  Reserved (1),
  Promised Stream ID (31),
  Field Block Fragment (..),
  Padding (..2040),
}
</pre>
</div>
<figcaption><a href="#figure-8" class="selfRef">Figure 8</a>:
<a href="#name-push_promise-frame-format" class="selfRef">PUSH_PROMISE Frame Format</a>
          </figcaption></figure>
</div>
<p id="section-6.6-3">The Length, Type, Unused Flag(s), Reserved, and Stream Identifier fields are described in <a href="#FramingLayer" class="xref">Section 4</a>.
          The PUSH_PROMISE frame payload has the following additional fields:<a href="#section-6.6-3" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-6.6-4">
          <dt id="section-6.6-4.1">Pad Length:</dt>
          <dd style="margin-left: 1.5em" id="section-6.6-4.2">An 8-bit field containing the length of the frame padding in units of octets.  This
              field is only present if the PADDED flag is set.<a href="#section-6.6-4.2" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-6.6-4.3">Promised Stream ID:</dt>
          <dd style="margin-left: 1.5em" id="section-6.6-4.4">An unsigned 31-bit integer that identifies the stream that is reserved by the
              PUSH_PROMISE.  The promised stream identifier <span class="bcp14">MUST</span> be a valid choice for the next
              stream sent by the sender (see "new stream identifier" in <a href="#StreamIdentifiers" class="xref">Section 5.1.1</a>).<a href="#section-6.6-4.4" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-6.6-4.5">Field Block Fragment:</dt>
          <dd style="margin-left: 1.5em" id="section-6.6-4.6">A <span><a href="#FieldBlock" class="xref">field block fragment</a> (<a href="#FieldBlock" class="xref">Section 4.3</a>)</span> containing the request control
            data and a header section.<a href="#section-6.6-4.6" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-6.6-4.7">Padding:</dt>
          <dd style="margin-left: 1.5em" id="section-6.6-4.8">Padding octets that contain no application semantic value.  Padding octets <span class="bcp14">MUST</span> be set
              to zero when sending.  A receiver is not obligated to verify padding but <span class="bcp14">MAY</span> treat
              non-zero padding as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of
              type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.6-4.8" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
</dl>
<p id="section-6.6-5">The PUSH_PROMISE frame defines the following flags:<a href="#section-6.6-5" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-6.6-6">
          <dt id="section-6.6-6.1">PADDED (0x08):</dt>
          <dd style="margin-left: 1.5em" id="section-6.6-6.2">
            <p id="section-6.6-6.2.1">When set, the PADDED flag indicates that the Pad Length field and any padding that it
                describes are present.<a href="#section-6.6-6.2.1" class="pilcrow">¶</a></p>
</dd>
          <dd class="break"></dd>
<dt id="section-6.6-6.3">END_HEADERS (0x04):</dt>
          <dd style="margin-left: 1.5em" id="section-6.6-6.4">
            <p id="section-6.6-6.4.1">When set, the END_HEADERS flag indicates that this frame contains an entire <span><a href="#FieldBlock" class="xref">field block</a> (<a href="#FieldBlock" class="xref">Section 4.3</a>)</span> and is not followed by any
                <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames.<a href="#section-6.6-6.4.1" class="pilcrow">¶</a></p>
<p id="section-6.6-6.4.2">A PUSH_PROMISE frame without the END_HEADERS flag set <span class="bcp14">MUST</span> be followed by a
                CONTINUATION frame for the same stream.  A receiver <span class="bcp14">MUST</span> treat the receipt of any
                other type of frame or a frame on a different stream as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
                <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.6-6.4.2" class="pilcrow">¶</a></p>
</dd>
        <dd class="break"></dd>
</dl>
<p id="section-6.6-7">PUSH_PROMISE frames <span class="bcp14">MUST</span> only be sent on a peer-initiated stream that is in either the
          "open" or "half-closed (remote)" state. The stream identifier of a PUSH_PROMISE frame
          indicates the stream it is associated with.  If the Stream Identifier field specifies the
          value 0x00, a recipient <span class="bcp14">MUST</span> respond with a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.6-7" class="pilcrow">¶</a></p>
<p id="section-6.6-8">Promised streams are not required to be used in the order they are promised.  The
          PUSH_PROMISE only reserves stream identifiers for later use.<a href="#section-6.6-8" class="pilcrow">¶</a></p>
<p id="section-6.6-9">PUSH_PROMISE <span class="bcp14">MUST NOT</span> be sent if the <a href="#SETTINGS_ENABLE_PUSH" class="xref">SETTINGS_ENABLE_PUSH</a> setting of the
          peer endpoint is set to 0.  An endpoint that has set this setting and has received
          acknowledgment <span class="bcp14">MUST</span> treat the receipt of a PUSH_PROMISE frame as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.6-9" class="pilcrow">¶</a></p>
<p id="section-6.6-10">Recipients of PUSH_PROMISE frames can choose to reject promised streams by returning a
          <a href="#RST_STREAM" class="xref">RST_STREAM</a> referencing the promised stream identifier back to the sender of
          the PUSH_PROMISE.<a href="#section-6.6-10" class="pilcrow">¶</a></p>
<p id="section-6.6-11">A PUSH_PROMISE frame modifies the connection state in two ways.  First, the inclusion of a <span><a href="#FieldBlock" class="xref">field block</a> (<a href="#FieldBlock" class="xref">Section 4.3</a>)</span> potentially modifies the state maintained for
          field section compression.  Second, PUSH_PROMISE also reserves a stream for later use, causing the
          promised stream to enter the "reserved (local)" or "reserved (remote)" state.  A sender <span class="bcp14">MUST NOT</span> send a PUSH_PROMISE on a
          stream unless that stream is either "open" or "half-closed (remote)"; the sender <span class="bcp14">MUST</span>
          ensure that the promised stream is a valid choice for a <span><a href="#StreamIdentifiers" class="xref">new stream identifier</a> (<a href="#StreamIdentifiers" class="xref">Section 5.1.1</a>)</span> (that is, the promised stream <span class="bcp14">MUST</span>
          be in the "idle" state).<a href="#section-6.6-11" class="pilcrow">¶</a></p>
<p id="section-6.6-12">Since PUSH_PROMISE reserves a stream, ignoring a PUSH_PROMISE frame causes the stream
          state to become indeterminate.  A receiver <span class="bcp14">MUST</span> treat the receipt of a PUSH_PROMISE on a
          stream that is neither "open" nor "half-closed (local)" as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.  However, an endpoint that has sent
          <a href="#RST_STREAM" class="xref">RST_STREAM</a> on the associated stream <span class="bcp14">MUST</span> handle PUSH_PROMISE frames that
          might have been created before the <a href="#RST_STREAM" class="xref">RST_STREAM</a> frame is received and
          processed.<a href="#section-6.6-12" class="pilcrow">¶</a></p>
<p id="section-6.6-13">A receiver <span class="bcp14">MUST</span> treat the receipt of a PUSH_PROMISE that promises an <span><a href="#StreamIdentifiers" class="xref">illegal stream identifier</a> (<a href="#StreamIdentifiers" class="xref">Section 5.1.1</a>)</span> as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>. Note that an illegal stream identifier
          is an identifier for a stream that is not currently in the "idle" state.<a href="#section-6.6-13" class="pilcrow">¶</a></p>
<p id="section-6.6-14">The total number of padding octets is determined by the value of the Pad Length field.  If
          the length of the padding is the length of the frame payload or greater, the recipient
          <span class="bcp14">MUST</span> treat this as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of
          type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.6-14" class="pilcrow">¶</a></p>
<aside id="section-6.6-15">
          <p id="section-6.6-15.1">Note:
            A frame can be increased in size by one octet by including a Pad Length field with a
            value of zero.<a href="#section-6.6-15.1" class="pilcrow">¶</a></p>
</aside>
</section>
</div>
<div id="PING">
<section id="section-6.7">
        <h3 id="name-ping">
<a href="#section-6.7" class="section-number selfRef">6.7. </a><a href="#name-ping" class="section-name selfRef">PING</a>
        </h3>
<p id="section-6.7-1">The PING frame (type=0x06) is a mechanism for measuring a minimal round-trip time from the
          sender, as well as determining whether an idle connection is still functional.  PING
          frames can be sent from any endpoint.<a href="#section-6.7-1" class="pilcrow">¶</a></p>
<span id="name-ping-frame-format"></span><div id="PINGFrameFormat">
<figure id="figure-9">
          <div class="alignLeft art-inline art-text artwork" id="section-6.7-2.1">
<pre>
PING Frame {
  Length (24) = 0x08,
  Type (8) = 0x06,

  Unused Flags (7),
  ACK Flag (1),

  Reserved (1),
  Stream Identifier (31) = 0,

  Opaque Data (64),
}
</pre>
</div>
<figcaption><a href="#figure-9" class="selfRef">Figure 9</a>:
<a href="#name-ping-frame-format" class="selfRef">PING Frame Format</a>
          </figcaption></figure>
</div>
<p id="section-6.7-3">The Length, Type, Unused Flag(s), Reserved, and Stream Identifier fields are described in <a href="#FramingLayer" class="xref">Section 4</a>.<a href="#section-6.7-3" class="pilcrow">¶</a></p>
<p id="section-6.7-4">In addition to the frame header, PING frames <span class="bcp14">MUST</span> contain 8 octets of opaque data in the frame payload.
          A sender can include any value it chooses and use those octets in any fashion.<a href="#section-6.7-4" class="pilcrow">¶</a></p>
<p id="section-6.7-5">Receivers of a PING frame that does not include an ACK flag <span class="bcp14">MUST</span> send a PING frame with
          the ACK flag set in response, with an identical frame payload.  PING responses <span class="bcp14">SHOULD</span> be given
          higher priority than any other frame.<a href="#section-6.7-5" class="pilcrow">¶</a></p>
<p id="section-6.7-6">The PING frame defines the following flags:<a href="#section-6.7-6" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-6.7-7">
          <dt id="section-6.7-7.1">ACK (0x01):</dt>
          <dd style="margin-left: 1.5em" id="section-6.7-7.2">When set, the ACK flag indicates that this PING frame is a PING response.  An endpoint <span class="bcp14">MUST</span>
              set this flag in PING responses.  An endpoint <span class="bcp14">MUST NOT</span> respond to PING frames
              containing this flag.<a href="#section-6.7-7.2" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
</dl>
<p id="section-6.7-8">PING frames are not associated with any individual stream. If a PING frame is received
          with a Stream Identifier field value other than 0x00, the recipient <span class="bcp14">MUST</span> respond with a
          <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.7-8" class="pilcrow">¶</a></p>
<p id="section-6.7-9">Receipt of a PING frame with a length field value other than 8 <span class="bcp14">MUST</span> be treated as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#FRAME_SIZE_ERROR" class="xref">FRAME_SIZE_ERROR</a>.<a href="#section-6.7-9" class="pilcrow">¶</a></p>
</section>
</div>
<div id="GOAWAY">
<section id="section-6.8">
        <h3 id="name-goaway">
<a href="#section-6.8" class="section-number selfRef">6.8. </a><a href="#name-goaway" class="section-name selfRef">GOAWAY</a>
        </h3>
<p id="section-6.8-1">The GOAWAY frame (type=0x07) is used to initiate shutdown of a connection or to signal
          serious error conditions.  GOAWAY allows an endpoint to gracefully stop accepting new
          streams while still finishing processing of previously established streams.  This enables
          administrative actions, like server maintenance.<a href="#section-6.8-1" class="pilcrow">¶</a></p>
<p id="section-6.8-2">There is an inherent race condition between an endpoint starting new streams and the
          remote peer sending a GOAWAY frame.  To deal with this case, the GOAWAY contains the stream
          identifier of the last peer-initiated stream that was or might be processed on the
          sending endpoint in this connection.  For instance, if the server sends a GOAWAY frame,
          the identified stream is the highest-numbered stream initiated by the client.<a href="#section-6.8-2" class="pilcrow">¶</a></p>
<p id="section-6.8-3">Once the GOAWAY is sent, the sender will ignore frames sent on streams initiated by the
          receiver if the stream has an identifier higher than the included last stream identifier.
          Receivers of a GOAWAY frame <span class="bcp14">MUST NOT</span> open additional streams on the connection, although a
          new connection can be established for new streams.<a href="#section-6.8-3" class="pilcrow">¶</a></p>
<p id="section-6.8-4">If the receiver of the GOAWAY has sent data on streams with a higher stream identifier
          than what is indicated in the GOAWAY frame, those streams are not or will not be
          processed.  The receiver of the GOAWAY frame can treat the streams as though they had
          never been created at all, thereby allowing those streams to be retried later on a new
          connection.<a href="#section-6.8-4" class="pilcrow">¶</a></p>
<p id="section-6.8-5">Endpoints <span class="bcp14">SHOULD</span> always send a GOAWAY frame before closing a connection so that the remote
          peer can know whether a stream has been partially processed or not.  For example, if an
          HTTP client sends a POST at the same time that a server closes a connection, the client
          cannot know if the server started to process that POST request if the server does not send
          a GOAWAY frame to indicate what streams it might have acted on.<a href="#section-6.8-5" class="pilcrow">¶</a></p>
<p id="section-6.8-6">An endpoint might choose to close a connection without sending a GOAWAY for misbehaving
          peers.<a href="#section-6.8-6" class="pilcrow">¶</a></p>
<p id="section-6.8-7">A GOAWAY frame might not immediately precede closing of the connection; a receiver of a
          GOAWAY that has no more use for the connection <span class="bcp14">SHOULD</span> still send a GOAWAY frame before
          terminating the connection.<a href="#section-6.8-7" class="pilcrow">¶</a></p>
<span id="name-goaway-frame-format"></span><div id="GOAWAYFrameFormat">
<figure id="figure-10">
          <div class="alignLeft art-inline art-text artwork" id="section-6.8-8.1">
<pre>
GOAWAY Frame {
  Length (24),
  Type (8) = 0x07,

  Unused Flags (8),

  Reserved (1),
  Stream Identifier (31) = 0,

  Reserved (1),
  Last-Stream-ID (31),
  Error Code (32),
  Additional Debug Data (..),
}
</pre>
</div>
<figcaption><a href="#figure-10" class="selfRef">Figure 10</a>:
<a href="#name-goaway-frame-format" class="selfRef">GOAWAY Frame Format</a>
          </figcaption></figure>
</div>
<p id="section-6.8-9">The Length, Type, Unused Flag(s), Reserved, and Stream Identifier fields are described in <a href="#FramingLayer" class="xref">Section 4</a>.<a href="#section-6.8-9" class="pilcrow">¶</a></p>
<p id="section-6.8-10">The GOAWAY frame does not define any flags.<a href="#section-6.8-10" class="pilcrow">¶</a></p>
<p id="section-6.8-11">The GOAWAY frame applies to the connection, not a specific stream.  An endpoint <span class="bcp14">MUST</span> treat
          a <a href="#GOAWAY" class="xref">GOAWAY</a> frame with a stream identifier other than 0x00 as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.8-11" class="pilcrow">¶</a></p>
<p id="section-6.8-12">The last stream identifier in the GOAWAY frame contains the highest-numbered stream
          identifier for which the sender of the GOAWAY frame might have taken some action on or
          might yet take action on.  All streams up to and including the identified stream might
          have been processed in some way.  The last stream identifier can be set to 0 if no streams
          were processed.<a href="#section-6.8-12" class="pilcrow">¶</a></p>
<aside id="section-6.8-13">
          <p id="section-6.8-13.1">Note:
            In this context, "processed" means that some data from the stream was passed to some
            higher layer of software that might have taken some action as a result.<a href="#section-6.8-13.1" class="pilcrow">¶</a></p>
</aside>
<p id="section-6.8-14">If a connection terminates without a GOAWAY frame, the last stream identifier is
          effectively the highest possible stream identifier.<a href="#section-6.8-14" class="pilcrow">¶</a></p>
<p id="section-6.8-15">On streams with lower- or equal-numbered identifiers that were not closed completely prior
          to the connection being closed, reattempting requests, transactions, or any protocol
          activity is not possible, except for idempotent actions like HTTP GET, PUT, or
          DELETE.  Any protocol activity that uses higher-numbered streams can be safely retried
          using a new connection.<a href="#section-6.8-15" class="pilcrow">¶</a></p>
<p id="section-6.8-16">Activity on streams numbered lower than or equal to the last stream identifier might still
          complete successfully.  The sender of a GOAWAY frame might gracefully shut down a
          connection by sending a GOAWAY frame, maintaining the connection in an "open" state until
          all in-progress streams complete.<a href="#section-6.8-16" class="pilcrow">¶</a></p>
<p id="section-6.8-17">An endpoint <span class="bcp14">MAY</span> send multiple GOAWAY frames if circumstances change.  For instance, an
          endpoint that sends GOAWAY with <a href="#NO_ERROR" class="xref">NO_ERROR</a> during graceful shutdown could
          subsequently encounter a condition that requires immediate termination of the connection.
          The last stream identifier from the last GOAWAY frame received indicates which streams
          could have been acted upon.  Endpoints <span class="bcp14">MUST NOT</span> increase the value they send in the last
          stream identifier, since the peers might already have retried unprocessed requests on
          another connection.<a href="#section-6.8-17" class="pilcrow">¶</a></p>
<p id="section-6.8-18">A client that is unable to retry requests loses all requests that are in flight when the
          server closes the connection.  This is especially true for intermediaries that might not
          be serving clients using HTTP/2.  A server that is attempting to gracefully shut down a
          connection <span class="bcp14">SHOULD</span> send an initial GOAWAY frame with the last stream identifier set to
          2<sup>31</sup>-1 and a <a href="#NO_ERROR" class="xref">NO_ERROR</a> code.  This signals to the client that
          a shutdown is imminent and that initiating further requests is prohibited.  After allowing
          time for any in-flight stream creation (at least one round-trip time),  the server <span class="bcp14">MAY</span>
          send another GOAWAY frame with an updated last stream identifier.  This ensures that a
          connection can be cleanly shut down without losing requests.<a href="#section-6.8-18" class="pilcrow">¶</a></p>
<p id="section-6.8-19">After sending a GOAWAY frame, the sender can discard frames for streams initiated by the
          receiver with identifiers higher than the identified last stream.  However, any frames
          that alter connection state cannot be completely ignored.  For instance,
          <a href="#HEADERS" class="xref">HEADERS</a>, <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a>, and <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames
          <span class="bcp14">MUST</span> be minimally processed to ensure that the state maintained for field section compression is
          consistent (see <a href="#FieldBlock" class="xref">Section 4.3</a>); similarly, DATA frames <span class="bcp14">MUST</span> be counted
          toward the connection flow-control window.  Failure to process these frames can cause flow
          control or field section compression state to become unsynchronized.<a href="#section-6.8-19" class="pilcrow">¶</a></p>
<p id="section-6.8-20">The GOAWAY frame also contains a 32-bit <span><a href="#ErrorCodes" class="xref">error code</a> (<a href="#ErrorCodes" class="xref">Section 7</a>)</span> that
          contains the reason for closing the connection.<a href="#section-6.8-20" class="pilcrow">¶</a></p>
<p id="section-6.8-21">Endpoints <span class="bcp14">MAY</span> append opaque data to the frame payload of any GOAWAY frame.  Additional debug
          data is intended for diagnostic purposes only and carries no semantic value.  Debug
          information could contain security- or privacy-sensitive data.  Logged or otherwise
          persistently stored debug data <span class="bcp14">MUST</span> have adequate safeguards to prevent unauthorized
          access.<a href="#section-6.8-21" class="pilcrow">¶</a></p>
</section>
</div>
<div id="WINDOW_UPDATE">
<section id="section-6.9">
        <h3 id="name-window_update">
<a href="#section-6.9" class="section-number selfRef">6.9. </a><a href="#name-window_update" class="section-name selfRef">WINDOW_UPDATE</a>
        </h3>
<p id="section-6.9-1">The WINDOW_UPDATE frame (type=0x08) is used to implement flow control; see <a href="#FlowControl" class="xref">Section 5.2</a> for an overview.<a href="#section-6.9-1" class="pilcrow">¶</a></p>
<p id="section-6.9-2">Flow control operates at two levels: on each individual stream and on the entire
          connection.<a href="#section-6.9-2" class="pilcrow">¶</a></p>
<p id="section-6.9-3">Both types of flow control are hop by hop, that is, only between the two endpoints.
          Intermediaries do not forward WINDOW_UPDATE frames between dependent connections.
          However, throttling of data transfer by any receiver can indirectly cause the propagation
          of flow-control information toward the original sender.<a href="#section-6.9-3" class="pilcrow">¶</a></p>
<p id="section-6.9-4">Flow control only applies to frames that are identified as being subject to flow control.
          Of the frame types defined in this document, this includes only <a href="#DATA" class="xref">DATA</a> frames.
          Frames that are exempt from flow control <span class="bcp14">MUST</span> be accepted and processed, unless the
          receiver is unable to assign resources to handling the frame.  A receiver <span class="bcp14">MAY</span> respond with
          a <span><a href="#StreamErrorHandler" class="xref">stream error</a> (<a href="#StreamErrorHandler" class="xref">Section 5.4.2</a>)</span> or <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#FLOW_CONTROL_ERROR" class="xref">FLOW_CONTROL_ERROR</a> if it is unable to accept a frame.<a href="#section-6.9-4" class="pilcrow">¶</a></p>
<span id="name-window_update-frame-format"></span><div id="WINDOW_UPDATEFrameFormat">
<figure id="figure-11">
          <div class="alignLeft art-inline art-text artwork" id="section-6.9-5.1">
<pre>
WINDOW_UPDATE Frame {
  Length (24) = 0x04,
  Type (8) = 0x08,

  Unused Flags (8),

  Reserved (1),
  Stream Identifier (31),

  Reserved (1),
  Window Size Increment (31),
}
</pre>
</div>
<figcaption><a href="#figure-11" class="selfRef">Figure 11</a>:
<a href="#name-window_update-frame-format" class="selfRef">WINDOW_UPDATE Frame Format</a>
          </figcaption></figure>
</div>
<p id="section-6.9-6">The Length, Type, Unused Flag(s), Reserved, and Stream Identifier fields are described in <a href="#FramingLayer" class="xref">Section 4</a>.
          The frame payload of a WINDOW_UPDATE frame is one reserved bit plus an unsigned 31-bit integer
          indicating the number of octets that the sender can transmit in addition to the existing
          flow-control window.  The legal range for the increment to the flow-control window is 1 to
          2<sup>31</sup>-1 (2,147,483,647) octets.<a href="#section-6.9-6" class="pilcrow">¶</a></p>
<p id="section-6.9-7">The WINDOW_UPDATE frame does not define any flags.<a href="#section-6.9-7" class="pilcrow">¶</a></p>
<p id="section-6.9-8">The WINDOW_UPDATE frame can be specific to a stream or to the entire connection.  In the
          former case, the frame's stream identifier indicates the affected stream; in the latter,
          the value "0" indicates that the entire connection is the subject of the frame.<a href="#section-6.9-8" class="pilcrow">¶</a></p>
<p id="section-6.9-9">A receiver <span class="bcp14">MUST</span> treat the receipt of a WINDOW_UPDATE frame with a flow-control window
          increment of 0 as a <span><a href="#StreamErrorHandler" class="xref">stream error</a> (<a href="#StreamErrorHandler" class="xref">Section 5.4.2</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>; errors on the connection flow-control window <span class="bcp14">MUST</span> be
          treated as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span>.<a href="#section-6.9-9" class="pilcrow">¶</a></p>
<p id="section-6.9-10">WINDOW_UPDATE can be sent by a peer that has sent a frame with the END_STREAM flag set.
          This means that a receiver could receive a WINDOW_UPDATE frame on a stream in a "half-closed (remote)"
          or "closed" state.  A receiver <span class="bcp14">MUST NOT</span> treat this as an error (see <a href="#StreamStates" class="xref">Section 5.1</a>).<a href="#section-6.9-10" class="pilcrow">¶</a></p>
<p id="section-6.9-11">A receiver that receives a flow-controlled frame <span class="bcp14">MUST</span> always account for its contribution
          against the connection flow-control window, unless the receiver treats this as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span>.  This is necessary even if the
          frame is in error.  The sender counts the frame toward the flow-control window, but if
          the receiver does not, the flow-control window at the sender and receiver can become
          different.<a href="#section-6.9-11" class="pilcrow">¶</a></p>
<p id="section-6.9-12">A WINDOW_UPDATE frame with a length other than 4 octets <span class="bcp14">MUST</span> be treated as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#FRAME_SIZE_ERROR" class="xref">FRAME_SIZE_ERROR</a>.<a href="#section-6.9-12" class="pilcrow">¶</a></p>
<section id="section-6.9.1">
          <h4 id="name-the-flow-control-window">
<a href="#section-6.9.1" class="section-number selfRef">6.9.1. </a><a href="#name-the-flow-control-window" class="section-name selfRef">The Flow-Control Window</a>
          </h4>
<p id="section-6.9.1-1">Flow control in HTTP/2 is implemented using a window kept by each sender on every
            stream. The flow-control window is a simple integer value that indicates how many octets
            of data the sender is permitted to transmit; as such, its size is a measure of the
            buffering capacity of the receiver.<a href="#section-6.9.1-1" class="pilcrow">¶</a></p>
<p id="section-6.9.1-2">Two flow-control windows are applicable: the stream flow-control window and the
            connection flow-control window.  The sender <span class="bcp14">MUST NOT</span> send a flow-controlled frame with a
            length that exceeds the space available in either of the flow-control windows advertised
            by the receiver.  Frames with zero length with the END_STREAM flag set (that is, an
            empty <a href="#DATA" class="xref">DATA</a> frame) <span class="bcp14">MAY</span> be sent if there is no available space in either
            flow-control window.<a href="#section-6.9.1-2" class="pilcrow">¶</a></p>
<p id="section-6.9.1-3">For flow-control calculations, the 9-octet frame header is not counted.<a href="#section-6.9.1-3" class="pilcrow">¶</a></p>
<p id="section-6.9.1-4">After sending a flow-controlled frame, the sender reduces the space available in both
            windows by the length of the transmitted frame.<a href="#section-6.9.1-4" class="pilcrow">¶</a></p>
<p id="section-6.9.1-5">The receiver of a frame sends a WINDOW_UPDATE frame as it consumes data and frees up
            space in flow-control windows.  Separate WINDOW_UPDATE frames are sent for the stream-
            and connection-level flow-control windows.  Receivers are advised to have mechanisms in
            place to avoid sending WINDOW_UPDATE frames with very small increments; see <span><a href="https://www.rfc-editor.org/rfc/rfc1122#section-4.2.3.3" class="relref">Section 4.2.3.3</a> of [<a href="#RFC1122" class="xref">RFC1122</a>]</span>.<a href="#section-6.9.1-5" class="pilcrow">¶</a></p>
<p id="section-6.9.1-6">A sender that receives a WINDOW_UPDATE frame updates the corresponding window by the
            amount specified in the frame.<a href="#section-6.9.1-6" class="pilcrow">¶</a></p>
<p id="section-6.9.1-7">A sender <span class="bcp14">MUST NOT</span> allow a flow-control window to exceed 2<sup>31</sup>-1 octets.
            If a sender receives a WINDOW_UPDATE that causes a flow-control window to exceed this
            maximum, it <span class="bcp14">MUST</span> terminate either the stream or the connection, as appropriate.  For
            streams, the sender sends a <a href="#RST_STREAM" class="xref">RST_STREAM</a> with an error code of
            <a href="#FLOW_CONTROL_ERROR" class="xref">FLOW_CONTROL_ERROR</a>; for the connection, a <a href="#GOAWAY" class="xref">GOAWAY</a>
            frame with an error code of <a href="#FLOW_CONTROL_ERROR" class="xref">FLOW_CONTROL_ERROR</a> is sent.<a href="#section-6.9.1-7" class="pilcrow">¶</a></p>
<p id="section-6.9.1-8">Flow-controlled frames from the sender and WINDOW_UPDATE frames from the receiver are
            completely asynchronous with respect to each other. This property allows a receiver to
            aggressively update the window size kept by the sender to prevent streams from stalling.<a href="#section-6.9.1-8" class="pilcrow">¶</a></p>
</section>
<div id="InitialWindowSize">
<section id="section-6.9.2">
          <h4 id="name-initial-flow-control-window">
<a href="#section-6.9.2" class="section-number selfRef">6.9.2. </a><a href="#name-initial-flow-control-window" class="section-name selfRef">Initial Flow-Control Window Size</a>
          </h4>
<p id="section-6.9.2-1">When an HTTP/2 connection is first established, new streams are created with an initial
            flow-control window size of 65,535 octets. The connection flow-control window is also 65,535
            octets. Both endpoints can adjust the initial window size for new streams by including
            a value for <a href="#SETTINGS_INITIAL_WINDOW_SIZE" class="xref">SETTINGS_INITIAL_WINDOW_SIZE</a> in the <a href="#SETTINGS" class="xref">SETTINGS</a>
            frame. The connection flow-control window can
            only be changed using WINDOW_UPDATE frames.<a href="#section-6.9.2-1" class="pilcrow">¶</a></p>
<p id="section-6.9.2-2">Prior to receiving a <a href="#SETTINGS" class="xref">SETTINGS</a> frame that sets a value for
            <a href="#SETTINGS_INITIAL_WINDOW_SIZE" class="xref">SETTINGS_INITIAL_WINDOW_SIZE</a>, an endpoint can only use the default
            initial window size when sending flow-controlled frames.  Similarly, the connection flow-control
            window is set based on the default initial window size until a WINDOW_UPDATE frame is
            received.<a href="#section-6.9.2-2" class="pilcrow">¶</a></p>
<p id="section-6.9.2-3">In addition to changing the flow-control window for streams that are not yet active, a
            <a href="#SETTINGS" class="xref">SETTINGS</a> frame can alter the initial flow-control window size for streams
            with active flow-control windows (that is, streams in the "open" or "half-closed
            (remote)" state).  When the value of <a href="#SETTINGS_INITIAL_WINDOW_SIZE" class="xref">SETTINGS_INITIAL_WINDOW_SIZE</a>
            changes, a receiver <span class="bcp14">MUST</span> adjust the size of all stream flow-control windows that it
            maintains by the difference between the new value and the old value.<a href="#section-6.9.2-3" class="pilcrow">¶</a></p>
<p id="section-6.9.2-4">A change to <a href="#SETTINGS_INITIAL_WINDOW_SIZE" class="xref">SETTINGS_INITIAL_WINDOW_SIZE</a> can cause the available space in
            a flow-control window to become negative.  A sender <span class="bcp14">MUST</span> track the negative flow-control
            window and <span class="bcp14">MUST NOT</span> send new flow-controlled frames until it receives WINDOW_UPDATE
            frames that cause the flow-control window to become positive.<a href="#section-6.9.2-4" class="pilcrow">¶</a></p>
<p id="section-6.9.2-5">For example, if the client sends 60 KB immediately on connection establishment and the
            server sets the initial window size to be 16 KB, the client will recalculate the
            available flow-control window to be -44 KB on receipt of the <a href="#SETTINGS" class="xref">SETTINGS</a>
            frame.  The client retains a negative flow-control window until WINDOW_UPDATE frames
            restore the window to being positive, after which the client can resume sending.<a href="#section-6.9.2-5" class="pilcrow">¶</a></p>
<p id="section-6.9.2-6">A <a href="#SETTINGS" class="xref">SETTINGS</a> frame cannot alter the connection flow-control window.<a href="#section-6.9.2-6" class="pilcrow">¶</a></p>
<p id="section-6.9.2-7">An endpoint <span class="bcp14">MUST</span> treat a change to <a href="#SETTINGS_INITIAL_WINDOW_SIZE" class="xref">SETTINGS_INITIAL_WINDOW_SIZE</a> that
            causes any flow-control window to exceed the maximum size as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
            <a href="#FLOW_CONTROL_ERROR" class="xref">FLOW_CONTROL_ERROR</a>.<a href="#section-6.9.2-7" class="pilcrow">¶</a></p>
</section>
</div>
<section id="section-6.9.3">
          <h4 id="name-reducing-the-stream-window-">
<a href="#section-6.9.3" class="section-number selfRef">6.9.3. </a><a href="#name-reducing-the-stream-window-" class="section-name selfRef">Reducing the Stream Window Size</a>
          </h4>
<p id="section-6.9.3-1">A receiver that wishes to use a smaller flow-control window than the current size can
            send a new <a href="#SETTINGS" class="xref">SETTINGS</a> frame.  However, the receiver <span class="bcp14">MUST</span> be prepared to
            receive data that exceeds this window size, since the sender might send data that
            exceeds the lower limit prior to processing the <a href="#SETTINGS" class="xref">SETTINGS</a> frame.<a href="#section-6.9.3-1" class="pilcrow">¶</a></p>
<p id="section-6.9.3-2">After sending a SETTINGS frame that reduces the initial flow-control window size, a
            receiver <span class="bcp14">MAY</span> continue to process streams that exceed flow-control limits.  Allowing
            streams to continue does not allow the receiver to immediately reduce the space it
            reserves for flow-control windows.  Progress on these streams can also stall, since
            <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a> frames are needed to allow the sender to resume sending.
            The receiver <span class="bcp14">MAY</span> instead send a <a href="#RST_STREAM" class="xref">RST_STREAM</a> with an error code of
            <a href="#FLOW_CONTROL_ERROR" class="xref">FLOW_CONTROL_ERROR</a> for the affected streams.<a href="#section-6.9.3-2" class="pilcrow">¶</a></p>
</section>
</section>
</div>
<div id="CONTINUATION">
<section id="section-6.10">
        <h3 id="name-continuation">
<a href="#section-6.10" class="section-number selfRef">6.10. </a><a href="#name-continuation" class="section-name selfRef">CONTINUATION</a>
        </h3>
<p id="section-6.10-1">The CONTINUATION frame (type=0x09) is used to continue a sequence of <span><a href="#FieldBlock" class="xref">field block fragments</a> (<a href="#FieldBlock" class="xref">Section 4.3</a>)</span>.  Any number of CONTINUATION frames can
          be sent, as long as the preceding frame is on the same stream and is a
          <a href="#HEADERS" class="xref">HEADERS</a>, <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a>, or CONTINUATION frame without the
          END_HEADERS flag set.<a href="#section-6.10-1" class="pilcrow">¶</a></p>
<span id="name-continuation-frame-format"></span><div id="CONTINUATIONFrameFormat">
<figure id="figure-12">
          <div class="alignLeft art-inline art-text artwork" id="section-6.10-2.1">
<pre>
CONTINUATION Frame {
  Length (24),
  Type (8) = 0x09,

  Unused Flags (5),
  END_HEADERS Flag (1),
  Unused Flags (2),

  Reserved (1),
  Stream Identifier (31),

  Field Block Fragment (..),
}
</pre>
</div>
<figcaption><a href="#figure-12" class="selfRef">Figure 12</a>:
<a href="#name-continuation-frame-format" class="selfRef">CONTINUATION Frame Format</a>
          </figcaption></figure>
</div>
<p id="section-6.10-3">The Length, Type, Unused Flag(s), Reserved, and Stream Identifier fields are described in <a href="#FramingLayer" class="xref">Section 4</a>.
          The CONTINUATION frame payload contains a <span><a href="#FieldBlock" class="xref">field block
          fragment</a> (<a href="#FieldBlock" class="xref">Section 4.3</a>)</span>.<a href="#section-6.10-3" class="pilcrow">¶</a></p>
<p id="section-6.10-4">The CONTINUATION frame defines the following flag:<a href="#section-6.10-4" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-6.10-5">
          <dt id="section-6.10-5.1">END_HEADERS (0x04):</dt>
          <dd style="margin-left: 1.5em" id="section-6.10-5.2">
            <p id="section-6.10-5.2.1">When set, the END_HEADERS flag indicates that this frame ends a <span><a href="#FieldBlock" class="xref">field
                block</a> (<a href="#FieldBlock" class="xref">Section 4.3</a>)</span>.<a href="#section-6.10-5.2.1" class="pilcrow">¶</a></p>
<p id="section-6.10-5.2.2">If the END_HEADERS flag is not set, this frame <span class="bcp14">MUST</span> be followed by another
                CONTINUATION frame.  A receiver <span class="bcp14">MUST</span> treat the receipt of any other type of frame or
                a frame on a different stream as a <span><a href="#ConnectionErrorHandler" class="xref">connection
                error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.10-5.2.2" class="pilcrow">¶</a></p>
</dd>
        <dd class="break"></dd>
</dl>
<p id="section-6.10-6">The CONTINUATION frame changes the connection state as defined in <a href="#FieldBlock" class="xref">Section 4.3</a>.<a href="#section-6.10-6" class="pilcrow">¶</a></p>
<p id="section-6.10-7">CONTINUATION frames <span class="bcp14">MUST</span> be associated with a stream. If a CONTINUATION frame is received
          with a Stream Identifier field of 0x00, the recipient <span class="bcp14">MUST</span> respond with a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type PROTOCOL_ERROR.<a href="#section-6.10-7" class="pilcrow">¶</a></p>
<p id="section-6.10-8">A CONTINUATION frame <span class="bcp14">MUST</span> be preceded by a <a href="#HEADERS" class="xref">HEADERS</a>,
          <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> or CONTINUATION frame without the END_HEADERS flag set.  A
          recipient that observes violation of this rule <span class="bcp14">MUST</span> respond with a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-6.10-8" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="ErrorCodes">
<section id="section-7">
      <h2 id="name-error-codes">
<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-error-codes" class="section-name selfRef">Error Codes</a>
      </h2>
<p id="section-7-1">Error codes are 32-bit fields that are used in <a href="#RST_STREAM" class="xref">RST_STREAM</a> and
        <a href="#GOAWAY" class="xref">GOAWAY</a> frames to convey the reasons for the stream or connection error.<a href="#section-7-1" class="pilcrow">¶</a></p>
<p id="section-7-2">Error codes share a common code space.  Some error codes apply only to either streams or the
        entire connection and have no defined semantics in the other context.<a href="#section-7-2" class="pilcrow">¶</a></p>
<p id="section-7-3">The following error codes are defined:<a href="#section-7-3" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-7-4">
        <dt id="section-7-4.1">NO_ERROR (0x00):</dt>
        <dd id="section-7-4.2" style="margin-left: 1.5em">
<div id="NO_ERROR">The associated condition is not a result of an error.  For example, a
            <a href="#GOAWAY" class="xref">GOAWAY</a> might include this code to indicate graceful shutdown of a
            connection.<a href="#NO_ERROR" class="pilcrow">¶</a>
</div>
        </dd>
<dd class="break"></dd>
<dt id="section-7-4.3">PROTOCOL_ERROR (0x01):</dt>
        <dd id="section-7-4.4" style="margin-left: 1.5em">
<div id="PROTOCOL_ERROR">The endpoint detected an unspecific protocol error.  This error is for use when a more
            specific error code is not available.<a href="#PROTOCOL_ERROR" class="pilcrow">¶</a>
</div>
        </dd>
<dd class="break"></dd>
<dt id="section-7-4.5">INTERNAL_ERROR (0x02):</dt>
        <dd id="section-7-4.6" style="margin-left: 1.5em">
<div id="INTERNAL_ERROR">The endpoint encountered an unexpected internal error.<a href="#INTERNAL_ERROR" class="pilcrow">¶</a>
</div>
        </dd>
<dd class="break"></dd>
<dt id="section-7-4.7">FLOW_CONTROL_ERROR (0x03):</dt>
        <dd id="section-7-4.8" style="margin-left: 1.5em">
<div id="FLOW_CONTROL_ERROR">The endpoint detected that its peer violated the flow-control protocol.<a href="#FLOW_CONTROL_ERROR" class="pilcrow">¶</a>
</div>
        </dd>
<dd class="break"></dd>
<dt id="section-7-4.9">SETTINGS_TIMEOUT (0x04):</dt>
        <dd id="section-7-4.10" style="margin-left: 1.5em">
<div id="SETTINGS_TIMEOUT">The endpoint sent a <a href="#SETTINGS" class="xref">SETTINGS</a> frame but did not receive a response in a
            timely manner.  See <a href="#SettingsSync" class="xref">Section 6.5.3</a> ("Settings Synchronization").<a href="#SETTINGS_TIMEOUT" class="pilcrow">¶</a>
</div>
        </dd>
<dd class="break"></dd>
<dt id="section-7-4.11">STREAM_CLOSED (0x05):</dt>
        <dd id="section-7-4.12" style="margin-left: 1.5em">
<div id="STREAM_CLOSED">The endpoint received a frame after a stream was half-closed.<a href="#STREAM_CLOSED" class="pilcrow">¶</a>
</div>
        </dd>
<dd class="break"></dd>
<dt id="section-7-4.13">FRAME_SIZE_ERROR (0x06):</dt>
        <dd id="section-7-4.14" style="margin-left: 1.5em">
<div id="FRAME_SIZE_ERROR">The endpoint received a frame with an invalid size.<a href="#FRAME_SIZE_ERROR" class="pilcrow">¶</a>
</div>
        </dd>
<dd class="break"></dd>
<dt id="section-7-4.15">REFUSED_STREAM (0x07):</dt>
        <dd id="section-7-4.16" style="margin-left: 1.5em">
<div id="REFUSED_STREAM">The endpoint refused the stream prior to performing any application processing (see
            <a href="#Reliability" class="xref">Section 8.7</a> for details).<a href="#REFUSED_STREAM" class="pilcrow">¶</a>
</div>
        </dd>
<dd class="break"></dd>
<dt id="section-7-4.17">CANCEL (0x08):</dt>
        <dd id="section-7-4.18" style="margin-left: 1.5em">
<div id="CANCEL">The endpoint uses this error code to indicate that the stream is no longer needed.<a href="#CANCEL" class="pilcrow">¶</a>
</div>
        </dd>
<dd class="break"></dd>
<dt id="section-7-4.19">COMPRESSION_ERROR (0x09):</dt>
        <dd id="section-7-4.20" style="margin-left: 1.5em">
<div id="COMPRESSION_ERROR">The endpoint is unable to maintain the field section compression context for the
            connection.<a href="#COMPRESSION_ERROR" class="pilcrow">¶</a>
</div>
        </dd>
<dd class="break"></dd>
<dt id="section-7-4.21">CONNECT_ERROR (0x0a):</dt>
        <dd id="section-7-4.22" style="margin-left: 1.5em">
<div id="CONNECT_ERROR">The connection established in response to a <span><a href="#CONNECT" class="xref">CONNECT
            request</a> (<a href="#CONNECT" class="xref">Section 8.5</a>)</span> was reset or abnormally closed.<a href="#CONNECT_ERROR" class="pilcrow">¶</a>
</div>
        </dd>
<dd class="break"></dd>
<dt id="section-7-4.23">ENHANCE_YOUR_CALM (0x0b):</dt>
        <dd id="section-7-4.24" style="margin-left: 1.5em">
<div id="ENHANCE_YOUR_CALM">The endpoint detected that its peer is exhibiting a behavior that might be generating
            excessive load.<a href="#ENHANCE_YOUR_CALM" class="pilcrow">¶</a>
</div>
        </dd>
<dd class="break"></dd>
<dt id="section-7-4.25">INADEQUATE_SECURITY (0x0c):</dt>
        <dd id="section-7-4.26" style="margin-left: 1.5em">
<div id="INADEQUATE_SECURITY">The underlying transport has properties that do not meet minimum security
            requirements (see <a href="#TLSUsage" class="xref">Section 9.2</a>).<a href="#INADEQUATE_SECURITY" class="pilcrow">¶</a>
</div>
        </dd>
<dd class="break"></dd>
<dt id="section-7-4.27">HTTP_1_1_REQUIRED (0x0d):</dt>
        <dd id="section-7-4.28" style="margin-left: 1.5em">
<div id="HTTP_1_1_REQUIRED">The endpoint requires that HTTP/1.1 be used instead of HTTP/2.<a href="#HTTP_1_1_REQUIRED" class="pilcrow">¶</a>
</div>
      </dd>
<dd class="break"></dd>
</dl>
<p id="section-7-5">Unknown or unsupported error codes <span class="bcp14">MUST NOT</span> trigger any special behavior.  These <span class="bcp14">MAY</span> be
        treated by an implementation as being equivalent to <a href="#INTERNAL_ERROR" class="xref">INTERNAL_ERROR</a>.<a href="#section-7-5" class="pilcrow">¶</a></p>
</section>
</div>
<div id="HttpLayer">
<section id="section-8">
      <h2 id="name-expressing-http-semantics-i">
<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-expressing-http-semantics-i" class="section-name selfRef">Expressing HTTP Semantics in HTTP/2</a>
      </h2>
<p id="section-8-1">HTTP/2 is an instantiation of the HTTP message abstraction (<span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-6" class="relref">Section 6</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>).<a href="#section-8-1" class="pilcrow">¶</a></p>
<div id="HttpFraming">
<section id="section-8.1">
        <h3 id="name-http-message-framing">
<a href="#section-8.1" class="section-number selfRef">8.1. </a><a href="#name-http-message-framing" class="section-name selfRef">HTTP Message Framing</a>
        </h3>
<p id="section-8.1-1">A client sends an HTTP request on a new stream, using a previously unused <span><a href="#StreamIdentifiers" class="xref">stream identifier</a> (<a href="#StreamIdentifiers" class="xref">Section 5.1.1</a>)</span>. A server sends an HTTP response on
          the same stream as the request.<a href="#section-8.1-1" class="pilcrow">¶</a></p>
<p id="section-8.1-2">An HTTP message (request or response) consists of:<a href="#section-8.1-2" class="pilcrow">¶</a></p>
<ol start="1" type="1" class="normal type-1" id="section-8.1-3">
          <li id="section-8.1-3.1">one <a href="#HEADERS" class="xref">HEADERS</a> frame (followed by zero or
            more <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames) containing
            the header section (see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-6.3" class="relref">Section 6.3</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>),<a href="#section-8.1-3.1" class="pilcrow">¶</a>
</li>
          <li id="section-8.1-3.2">zero or more <a href="#DATA" class="xref">DATA</a> frames containing the
            message content (see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-6.4" class="relref">Section 6.4</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>), and<a href="#section-8.1-3.2" class="pilcrow">¶</a>
</li>
          <li id="section-8.1-3.3">optionally, one <a href="#HEADERS" class="xref">HEADERS</a> frame (followed by
            zero or more <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames)
            containing the trailer section, if present (see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-6.5" class="relref">Section 6.5</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>).<a href="#section-8.1-3.3" class="pilcrow">¶</a>
</li>
        </ol>
<p id="section-8.1-4">For a response only, a server <span class="bcp14">MAY</span> send any number of interim responses before the <a href="#HEADERS" class="xref">HEADERS</a> frame containing a final response. An
          interim response consists of a <a href="#HEADERS" class="xref">HEADERS</a> frame
          (which might be followed by zero or more <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames) containing the control data and header section
          of an interim (1xx) HTTP response (see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-15" class="relref">Section 15</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>). A <a href="#HEADERS" class="xref">HEADERS</a> frame with the END_STREAM flag set that carries
          an informational status code is <span><a href="#malformed" class="xref">malformed</a> (<a href="#malformed" class="xref">Section 8.1.1</a>)</span>.<a href="#section-8.1-4" class="pilcrow">¶</a></p>
<p id="section-8.1-5">The last frame in the sequence bears an END_STREAM flag, noting that a <a href="#HEADERS" class="xref">HEADERS</a> frame with the END_STREAM flag set can be
          followed by <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames that
          carry any remaining fragments of the field block.<a href="#section-8.1-5" class="pilcrow">¶</a></p>
<p id="section-8.1-6">Other frames (from any stream) <span class="bcp14">MUST NOT</span> occur between the <a href="#HEADERS" class="xref">HEADERS</a> frame
          and any <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames that might follow.<a href="#section-8.1-6" class="pilcrow">¶</a></p>
<p id="section-8.1-7">HTTP/2 uses DATA frames to carry message content.  The <code>chunked</code> transfer encoding
          defined in <span><a href="https://www.rfc-editor.org/rfc/rfc9112#section-7.1" class="relref">Section 7.1</a> of [<a href="#RFC9112" class="xref">HTTP/1.1</a>]</span> cannot be used in HTTP/2; see <a href="#ConnectionSpecific" class="xref">Section 8.2.2</a>.<a href="#section-8.1-7" class="pilcrow">¶</a></p>
<p id="section-8.1-8">Trailer fields are carried in a field block that also terminates the stream. That is,
          trailer fields comprise a sequence starting with a <a href="#HEADERS" class="xref">HEADERS</a> frame, followed by zero or more <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames, where the <a href="#HEADERS" class="xref">HEADERS</a> frame bears an END_STREAM flag. Trailers <span class="bcp14">MUST NOT</span> include
          <span><a href="#PseudoHeaderFields" class="xref">pseudo-header fields</a> (<a href="#PseudoHeaderFields" class="xref">Section 8.3</a>)</span>. An endpoint that receives
          pseudo-header fields in trailers <span class="bcp14">MUST</span> treat the request or response as <span><a href="#malformed" class="xref">malformed</a> (<a href="#malformed" class="xref">Section 8.1.1</a>)</span>.<a href="#section-8.1-8" class="pilcrow">¶</a></p>
<p id="section-8.1-9">An endpoint that receives a <a href="#HEADERS" class="xref">HEADERS</a> frame
          without the END_STREAM flag set after receiving the <a href="#HEADERS" class="xref">HEADERS</a> frame that opens a request or after receiving a final
          (non-informational) status code <span class="bcp14">MUST</span> treat the corresponding request or response as <span><a href="#malformed" class="xref">malformed</a> (<a href="#malformed" class="xref">Section 8.1.1</a>)</span>.<a href="#section-8.1-9" class="pilcrow">¶</a></p>
<p id="section-8.1-10">An HTTP request/response exchange fully consumes a single stream. A request starts with
          the <a href="#HEADERS" class="xref">HEADERS</a> frame that puts the stream into
          the "open" state. The request ends with a frame with the END_STREAM flag set, which causes the
          stream to become "half-closed (local)" for the client and "half-closed (remote)" for the
          server. A response stream starts with zero or more interim responses in <a href="#HEADERS" class="xref">HEADERS</a> frames, followed by a <a href="#HEADERS" class="xref">HEADERS</a> frame containing a final status code.<a href="#section-8.1-10" class="pilcrow">¶</a></p>
<p id="section-8.1-11">An HTTP response is complete after the server sends -- or the client receives -- a frame
          with the END_STREAM flag set (including any <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames needed to complete a field block). A server can
          send a complete response prior to the client sending an entire request if the response
          does not depend on any portion of the request that has not been sent and received. When
          this is true, a server <span class="bcp14">MAY</span> request that the client abort transmission of a request
          without error by sending a <a href="#RST_STREAM" class="xref">RST_STREAM</a> with
          an error code of <a href="#NO_ERROR" class="xref">NO_ERROR</a> after sending a
          complete response (i.e., a frame with the END_STREAM flag set). Clients <span class="bcp14">MUST NOT</span> discard
          responses as a result of receiving such a <a href="#RST_STREAM" class="xref">RST_STREAM</a>, though clients can always discard responses at their
          discretion for other reasons.<a href="#section-8.1-11" class="pilcrow">¶</a></p>
<div id="malformed">
<section id="section-8.1.1">
          <h4 id="name-malformed-messages">
<a href="#section-8.1.1" class="section-number selfRef">8.1.1. </a><a href="#name-malformed-messages" class="section-name selfRef">Malformed Messages</a>
          </h4>
<p id="section-8.1.1-1">A malformed request or response is one that is an otherwise valid sequence of HTTP/2
            frames but is invalid due to the presence of extraneous frames, prohibited fields or
            pseudo-header fields, the absence of mandatory pseudo-header fields, the inclusion of
            uppercase field names, or invalid field names and/or values (in certain circumstances;
            see <a href="#HttpHeaders" class="xref">Section 8.2</a>).<a href="#section-8.1.1-1" class="pilcrow">¶</a></p>
<p id="section-8.1.1-2">A request or response that includes message content can include a
            <code>content-length</code> header field. A request or response is also malformed if the
            value of a <code>content-length</code> header field does not equal the sum of the <a href="#DATA" class="xref">DATA</a> frame payload lengths that form the content,
            unless the message is defined as having no content.  For example, 204 or 304 responses
            contain no content, as does the response to a HEAD request.  A response that is defined
            to have no content, as described in <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-6.4.1" class="relref">Section 6.4.1</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>, <span class="bcp14">MAY</span> have a
            non-zero <code>content-length</code> header field, even though no content is included in
            <a href="#DATA" class="xref">DATA</a> frames.<a href="#section-8.1.1-2" class="pilcrow">¶</a></p>
<p id="section-8.1.1-3">Intermediaries that process HTTP requests or responses (i.e., any intermediary not
            acting as a tunnel) <span class="bcp14">MUST NOT</span> forward a malformed request or response. Malformed
            requests or responses that are detected <span class="bcp14">MUST</span> be treated as a <span><a href="#StreamErrorHandler" class="xref">stream error</a> (<a href="#StreamErrorHandler" class="xref">Section 5.4.2</a>)</span> of type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-8.1.1-3" class="pilcrow">¶</a></p>
<p id="section-8.1.1-4">For malformed requests, a server <span class="bcp14">MAY</span> send an HTTP response prior to closing or
            resetting the stream.  Clients <span class="bcp14">MUST NOT</span> accept a malformed response.<a href="#section-8.1.1-4" class="pilcrow">¶</a></p>
<p id="section-8.1.1-5">Endpoints that progressively process messages might have performed some processing
            before identifying a request or response as malformed. For instance, it might be
            possible to generate an informational or 404 status code without having received a
            complete request. Similarly, intermediaries might forward incomplete messages before
            detecting errors. A server <span class="bcp14">MAY</span> generate a final response before receiving an entire
            request when the response does not depend on the remainder of the request being
            correct.<a href="#section-8.1.1-5" class="pilcrow">¶</a></p>
<p id="section-8.1.1-6">These requirements are intended to protect against several types of common attacks
            against HTTP; they are deliberately strict because being permissive can expose
            implementations to these vulnerabilities.<a href="#section-8.1.1-6" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="HttpHeaders">
<section id="section-8.2">
        <h3 id="name-http-fields">
<a href="#section-8.2" class="section-number selfRef">8.2. </a><a href="#name-http-fields" class="section-name selfRef">HTTP Fields</a>
        </h3>
<p id="section-8.2-1">HTTP fields (<span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-5" class="relref">Section 5</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>) are conveyed by HTTP/2 in the HEADERS,
          CONTINUATION, and PUSH_PROMISE frames, compressed with <span><a href="#RFC7541" class="xref">HPACK</a> [<a href="#RFC7541" class="xref">COMPRESSION</a>]</span>.<a href="#section-8.2-1" class="pilcrow">¶</a></p>
<p id="section-8.2-2">Field names <span class="bcp14">MUST</span> be converted to lowercase when constructing an HTTP/2 message.<a href="#section-8.2-2" class="pilcrow">¶</a></p>
<section id="section-8.2.1">
          <h4 id="name-field-validity">
<a href="#section-8.2.1" class="section-number selfRef">8.2.1. </a><a href="#name-field-validity" class="section-name selfRef">Field Validity</a>
          </h4>
<p id="section-8.2.1-1">The definitions of field names and values in HTTP prohibit some characters that HPACK
            might be able to convey.  HTTP/2 implementations <span class="bcp14">SHOULD</span> validate field names and values
            according to their definitions in Sections <a href="https://www.rfc-editor.org/rfc/rfc9110#section-5.1" class="relref">5.1</a> and <a href="https://www.rfc-editor.org/rfc/rfc9110#section-5.5" class="relref">5.5</a> of <span>[<a href="#RFC9110" class="xref">HTTP</a>]</span>, respectively, and treat messages that contain prohibited characters as
            <span><a href="#malformed" class="xref">malformed</a> (<a href="#malformed" class="xref">Section 8.1.1</a>)</span>.<a href="#section-8.2.1-1" class="pilcrow">¶</a></p>
<p id="section-8.2.1-2">Failure to validate fields can be exploited for request smuggling attacks.  In
            particular, unvalidated fields might enable attacks when messages are forwarded using
            <span><a href="#RFC9112" class="xref">HTTP/1.1</a> [<a href="#RFC9112" class="xref">HTTP/1.1</a>]</span>, where characters such as carriage return (CR), line feed (LF), and COLON are
            used as delimiters.  Implementations <span class="bcp14">MUST</span> perform the following minimal validation of
            field names and values:<a href="#section-8.2.1-2" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-8.2.1-3.1">A field name <span class="bcp14">MUST NOT</span> contain characters in the ranges 0x00-0x20, 0x41-0x5a, or
              0x7f-0xff (all ranges inclusive).  This specifically excludes all non-visible ASCII
              characters, ASCII SP (0x20), and uppercase characters ('A' to 'Z', ASCII 0x41 to
              0x5a).<a href="#section-8.2.1-3.1" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-8.2.1-3.2">With the exception of <span><a href="#PseudoHeaderFields" class="xref">pseudo-header fields</a> (<a href="#PseudoHeaderFields" class="xref">Section 8.3</a>)</span>,
              which have a name that starts with a single colon, field names <span class="bcp14">MUST NOT</span> include a
              colon (ASCII COLON, 0x3a).<a href="#section-8.2.1-3.2" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-8.2.1-3.3">A field value <span class="bcp14">MUST NOT</span> contain the zero value (ASCII NUL, 0x00), line feed (ASCII LF,
              0x0a), or carriage return (ASCII CR, 0x0d) at any position.<a href="#section-8.2.1-3.3" class="pilcrow">¶</a>
</li>
            <li class="normal" id="section-8.2.1-3.4">A field value <span class="bcp14">MUST NOT</span> start or end with an ASCII whitespace character (ASCII SP or
              HTAB, 0x20 or 0x09).<a href="#section-8.2.1-3.4" class="pilcrow">¶</a>
</li>
          </ul>
<aside id="section-8.2.1-4">
            <p id="section-8.2.1-4.1">Note: An implementation that validates fields according to the definitions in Sections
            <a href="https://www.rfc-editor.org/rfc/rfc9110#section-5.1" class="relref">5.1</a> and <a href="https://www.rfc-editor.org/rfc/rfc9110#section-5.5" class="relref">5.5</a> of <span>[<a href="#RFC9110" class="xref">HTTP</a>]</span> only needs an additional check
            that field names do not include uppercase characters.<a href="#section-8.2.1-4.1" class="pilcrow">¶</a></p>
</aside>
<p id="section-8.2.1-5">A request or response that contains a field that violates any of these conditions <span class="bcp14">MUST</span>
            be treated as <span><a href="#malformed" class="xref">malformed</a> (<a href="#malformed" class="xref">Section 8.1.1</a>)</span>.  In particular, an intermediary
            that does not process fields when forwarding messages <span class="bcp14">MUST NOT</span> forward fields that
            contain any of the values that are listed as prohibited above.<a href="#section-8.2.1-5" class="pilcrow">¶</a></p>
<p id="section-8.2.1-6">When a request message violates one of these requirements, an implementation <span class="bcp14">SHOULD</span>
            generate a 400 (Bad Request) status code (see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-15.5.1" class="relref">Section 15.5.1</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>),
            unless a more suitable status code is defined or the status code cannot be sent (e.g.,
            because the error occurs in a trailer field).<a href="#section-8.2.1-6" class="pilcrow">¶</a></p>
<aside id="section-8.2.1-7">
            <p id="section-8.2.1-7.1">Note: Field values that are not valid according to the definition of the corresponding
              field do not cause a request to be <a href="#malformed" class="xref">malformed</a>; the requirements above only apply to the generic
              syntax for fields as defined in <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-5" class="relref">Section 5</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>.<a href="#section-8.2.1-7.1" class="pilcrow">¶</a></p>
</aside>
</section>
<div id="ConnectionSpecific">
<section id="section-8.2.2">
          <h4 id="name-connection-specific-header-">
<a href="#section-8.2.2" class="section-number selfRef">8.2.2. </a><a href="#name-connection-specific-header-" class="section-name selfRef">Connection-Specific Header Fields</a>
          </h4>
<p id="section-8.2.2-1">HTTP/2 does not use the <code>Connection</code> header field (<span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-7.6.1" class="relref">Section 7.6.1</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>) to indicate connection-specific header fields; in this protocol,
            connection-specific metadata is conveyed by other means.  An endpoint <span class="bcp14">MUST NOT</span> generate
            an HTTP/2 message containing connection-specific header fields.  This includes the
            <code>Connection</code> header field and those listed as having connection-specific
            semantics in <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-7.6.1" class="relref">Section 7.6.1</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span> (that is, <code>Proxy-Connection</code>,
            <code>Keep-Alive</code>, <code>Transfer-Encoding</code>, and <code>Upgrade</code>).  Any message
            containing connection-specific header fields <span class="bcp14">MUST</span> be treated as <span><a href="#malformed" class="xref">malformed</a> (<a href="#malformed" class="xref">Section 8.1.1</a>)</span>.<a href="#section-8.2.2-1" class="pilcrow">¶</a></p>
<p id="section-8.2.2-2">The only exception to this is the TE header field, which <span class="bcp14">MAY</span> be present in an HTTP/2
            request; when it is, it <span class="bcp14">MUST NOT</span> contain any value other than "trailers".<a href="#section-8.2.2-2" class="pilcrow">¶</a></p>
<p id="section-8.2.2-3">An intermediary transforming an HTTP/1.x message to HTTP/2 <span class="bcp14">MUST</span> remove connection-specific
            header fields as discussed in <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-7.6.1" class="relref">Section 7.6.1</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>,
            or their messages will be treated by other HTTP/2 endpoints as <span><a href="#malformed" class="xref">malformed</a> (<a href="#malformed" class="xref">Section 8.1.1</a>)</span>.<a href="#section-8.2.2-3" class="pilcrow">¶</a></p>
<aside id="section-8.2.2-4">
            <p id="section-8.2.2-4.1">Note:
              HTTP/2 purposefully does not support upgrade to another protocol.  The handshake
              methods described in <a href="#starting" class="xref">Section 3</a> are believed sufficient to
              negotiate the use of alternative protocols.<a href="#section-8.2.2-4.1" class="pilcrow">¶</a></p>
</aside>
</section>
</div>
<div id="CompressCookie">
<section id="section-8.2.3">
          <h4 id="name-compressing-the-cookie-head">
<a href="#section-8.2.3" class="section-number selfRef">8.2.3. </a><a href="#name-compressing-the-cookie-head" class="section-name selfRef">Compressing the Cookie Header Field</a>
          </h4>
<p id="section-8.2.3-1">The <span><a href="#RFC6265" class="xref">Cookie header field</a> [<a href="#RFC6265" class="xref">COOKIE</a>]</span> uses a semicolon (";") to delimit
            cookie-pairs (or "crumbs").  This header field contains multiple values, but does not use
            a COMMA (",") as a separator, thereby preventing cookie-pairs from being sent on
            multiple field lines (see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-5.2" class="relref">Section 5.2</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>).  This can significantly
            reduce compression efficiency, as updates to individual cookie-pairs would invalidate any
            field lines that are stored in the HPACK table.<a href="#section-8.2.3-1" class="pilcrow">¶</a></p>
<p id="section-8.2.3-2">To allow for better compression efficiency, the Cookie header field <span class="bcp14">MAY</span> be split into
            separate header fields, each with one or more cookie-pairs.  If there are multiple
            Cookie header fields after decompression, these <span class="bcp14">MUST</span> be concatenated into a single
            octet string using the two-octet delimiter of 0x3b, 0x20 (the ASCII string "; ")
            before being passed into a non-HTTP/2 context, such as an HTTP/1.1 connection, or a
            generic HTTP server application.<a href="#section-8.2.3-2" class="pilcrow">¶</a></p>
<p id="section-8.2.3-3" class="keepWithNext">Therefore, the following two lists of Cookie header fields are semantically
              equivalent.<a href="#section-8.2.3-3" class="pilcrow">¶</a></p>
<div class="alignLeft art-inline art-text artwork" id="section-8.2.3-4">
<pre>
cookie: a=b; c=d; e=f

cookie: a=b
cookie: c=d
cookie: e=f
</pre><a href="#section-8.2.3-4" class="pilcrow">¶</a>
</div>
</section>
</div>
</section>
</div>
<div id="PseudoHeaderFields">
<section id="section-8.3">
        <h3 id="name-http-control-data">
<a href="#section-8.3" class="section-number selfRef">8.3. </a><a href="#name-http-control-data" class="section-name selfRef">HTTP Control Data</a>
        </h3>
<p id="section-8.3-1">HTTP/2 uses special pseudo-header fields beginning with a ':' character (ASCII 0x3a) to
          convey message control data (see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-6.2" class="relref">Section 6.2</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>).<a href="#section-8.3-1" class="pilcrow">¶</a></p>
<p id="section-8.3-2">Pseudo-header fields are not HTTP header fields.  Endpoints <span class="bcp14">MUST NOT</span> generate
          pseudo-header fields other than those defined in this document.  Note that an
          extension could negotiate the use of additional pseudo-header fields; see
          <a href="#extensibility" class="xref">Section 5.5</a>.<a href="#section-8.3-2" class="pilcrow">¶</a></p>
<p id="section-8.3-3">Pseudo-header fields are only valid in the context in which they are defined.
          Pseudo-header fields defined for requests <span class="bcp14">MUST NOT</span> appear in responses; pseudo-header
          fields defined for responses <span class="bcp14">MUST NOT</span> appear in requests.  Pseudo-header fields <span class="bcp14">MUST NOT</span> appear in a trailer section.  Endpoints <span class="bcp14">MUST</span> treat a request or response that contains
          undefined or invalid pseudo-header fields as <span><a href="#malformed" class="xref">malformed</a> (<a href="#malformed" class="xref">Section 8.1.1</a>)</span>.<a href="#section-8.3-3" class="pilcrow">¶</a></p>
<p id="section-8.3-4">All pseudo-header fields <span class="bcp14">MUST</span> appear in a field block before all regular field lines.
          Any request or response that contains a pseudo-header field that appears in a field
          block after a regular field line <span class="bcp14">MUST</span> be treated as <span><a href="#malformed" class="xref">malformed</a> (<a href="#malformed" class="xref">Section 8.1.1</a>)</span>.<a href="#section-8.3-4" class="pilcrow">¶</a></p>
<p id="section-8.3-5">The same pseudo-header field name <span class="bcp14">MUST NOT</span> appear more than once in a field block. A
          field block for an HTTP request or response that contains a repeated pseudo-header field
          name <span class="bcp14">MUST</span> be treated as <span><a href="#malformed" class="xref">malformed</a> (<a href="#malformed" class="xref">Section 8.1.1</a>)</span>.<a href="#section-8.3-5" class="pilcrow">¶</a></p>
<div id="HttpRequest">
<section id="section-8.3.1">
          <h4 id="name-request-pseudo-header-field">
<a href="#section-8.3.1" class="section-number selfRef">8.3.1. </a><a href="#name-request-pseudo-header-field" class="section-name selfRef">Request Pseudo-Header Fields</a>
          </h4>
<p id="section-8.3.1-1">The following pseudo-header fields are defined for HTTP/2 requests:<a href="#section-8.3.1-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-8.3.1-2.1">
              <p id="section-8.3.1-2.1.1">The "<code>:method</code>" pseudo-header field includes the HTTP
                  method (<span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-9" class="relref">Section 9</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>).<a href="#section-8.3.1-2.1.1" class="pilcrow">¶</a></p>
</li>
            <li class="normal" id="section-8.3.1-2.2">
              <p id="section-8.3.1-2.2.1">The "<code>:scheme</code>" pseudo-header field includes the scheme portion of the request
                target. The scheme is taken from the target URI (<span><a href="https://www.rfc-editor.org/rfc/rfc3986#section-3.1" class="relref">Section 3.1</a> of [<a href="#RFC3986" class="xref">RFC3986</a>]</span>) when generating a request directly, or from the scheme of a
                translated request (for example, see <span><a href="https://www.rfc-editor.org/rfc/rfc9112#section-3.3" class="relref">Section 3.3</a> of [<a href="#RFC9112" class="xref">HTTP/1.1</a>]</span>). Scheme
                is omitted for <span><a href="#CONNECT" class="xref">CONNECT requests</a> (<a href="#CONNECT" class="xref">Section 8.5</a>)</span>.<a href="#section-8.3.1-2.2.1" class="pilcrow">¶</a></p>
<p id="section-8.3.1-2.2.2">"<code>:scheme</code>" is not restricted to "<code>http</code>" and "<code>https</code>" schemed
                URIs.  A proxy or gateway can translate requests for non-HTTP schemes, enabling
                the use of HTTP to interact with non-HTTP services.<a href="#section-8.3.1-2.2.2" class="pilcrow">¶</a></p>
</li>
            <li class="normal" id="section-8.3.1-2.3">
              <p id="section-8.3.1-2.3.1">The "<code>:authority</code>" pseudo-header field conveys the authority portion (<span><a href="https://www.rfc-editor.org/rfc/rfc3986#section-3.2" class="relref">Section 3.2</a> of [<a href="#RFC3986" class="xref">RFC3986</a>]</span>) of the target URI (<span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-7.1" class="relref">Section 7.1</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>). The recipient of an HTTP/2 request <span class="bcp14">MUST NOT</span> use the <code>Host</code>
                header field to determine the target URI if "<code>:authority</code>" is present.<a href="#section-8.3.1-2.3.1" class="pilcrow">¶</a></p>
<p id="section-8.3.1-2.3.2">Clients that generate HTTP/2 requests directly <span class="bcp14">MUST</span> use the "<code>:authority</code>"
                pseudo-header field to convey authority information, unless there is no authority
                information to convey (in which case it <span class="bcp14">MUST NOT</span> generate "<code>:authority</code>").<a href="#section-8.3.1-2.3.2" class="pilcrow">¶</a></p>
<p id="section-8.3.1-2.3.3">Clients <span class="bcp14">MUST NOT</span> generate a request with a <code>Host</code> header field that differs
                from the "<code>:authority</code>" pseudo-header field.  A
                server <span class="bcp14">SHOULD</span> treat a request as malformed if it contains a <code>Host</code> header
                field that identifies an entity that differs from the entity in the "<code>:authority</code>" pseudo-header
                field.  The values of fields need to be normalized to compare them (see <span><a href="https://www.rfc-editor.org/rfc/rfc3986#section-6.2" class="relref">Section 6.2</a> of [<a href="#RFC3986" class="xref">RFC3986</a>]</span>).  An origin server can apply any normalization
                method, whereas other servers <span class="bcp14">MUST</span> perform scheme-based normalization (see <span><a href="https://www.rfc-editor.org/rfc/rfc3986#section-6.2.3" class="relref">Section 6.2.3</a> of [<a href="#RFC3986" class="xref">RFC3986</a>]</span>) of the two fields.<a href="#section-8.3.1-2.3.3" class="pilcrow">¶</a></p>
<p id="section-8.3.1-2.3.4">An intermediary that forwards a request over HTTP/2 <span class="bcp14">MUST</span> construct an
                "<code>:authority</code>" pseudo-header field using the authority information from the
                control data of the original request, unless the original request's target URI
                does not contain authority information (in which case it <span class="bcp14">MUST NOT</span> generate
                "<code>:authority</code>"). Note that the <code>Host</code> header field is not the sole
                source of this information; see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-7.2" class="relref">Section 7.2</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>.<a href="#section-8.3.1-2.3.4" class="pilcrow">¶</a></p>
<p id="section-8.3.1-2.3.5">An intermediary that needs to generate a <code>Host</code> header field (which might be
                necessary to construct an HTTP/1.1 request) <span class="bcp14">MUST</span> use the value from the "<code>:authority</code>"
                pseudo-header field as the value of the <code>Host</code> field,
                unless the intermediary also changes the request target. This replaces any existing
                <code>Host</code> field to avoid potential vulnerabilities in HTTP routing.<a href="#section-8.3.1-2.3.5" class="pilcrow">¶</a></p>
<p id="section-8.3.1-2.3.6">An intermediary that forwards a request over HTTP/2 <span class="bcp14">MAY</span> retain any <code>Host</code>
                header field.<a href="#section-8.3.1-2.3.6" class="pilcrow">¶</a></p>
<p id="section-8.3.1-2.3.7">Note that request targets for CONNECT or asterisk-form OPTIONS requests never
                include authority information; see Sections <a href="https://www.rfc-editor.org/rfc/rfc9110#section-7.1" class="relref">7.1</a> and <a href="https://www.rfc-editor.org/rfc/rfc9110#section-7.2" class="relref">7.2</a>
                of <span>[<a href="#RFC9110" class="xref">HTTP</a>]</span>.<a href="#section-8.3.1-2.3.7" class="pilcrow">¶</a></p>
<p id="section-8.3.1-2.3.8">"<code>:authority</code>" <span class="bcp14">MUST NOT</span> include the deprecated userinfo subcomponent for
                "<code>http</code>" or "<code>https</code>" schemed URIs.<a href="#section-8.3.1-2.3.8" class="pilcrow">¶</a></p>
</li>
            <li class="normal" id="section-8.3.1-2.4">
              <p id="section-8.3.1-2.4.1">The "<code>:path</code>" pseudo-header field includes the path and
                  query parts of the target URI (the <code>absolute-path</code>
                  production and, optionally, a '?' character followed by the
                  <code>query</code> production; see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-4.1" class="relref">Section 4.1</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>).
                  A request in asterisk form (for OPTIONS) includes the value '*' for the
                  "<code>:path</code>" pseudo-header field.<a href="#section-8.3.1-2.4.1" class="pilcrow">¶</a></p>
<p id="section-8.3.1-2.4.2">This pseudo-header field <span class="bcp14">MUST NOT</span> be empty for "<code>http</code>" or "<code>https</code>"
                  URIs; "<code>http</code>" or "<code>https</code>" URIs that do not contain a path component
                  <span class="bcp14">MUST</span> include a value of '/'. The exceptions to this rule are:<a href="#section-8.3.1-2.4.2" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-8.3.1-2.4.3.1">an OPTIONS request for an "<code>http</code>" or "<code>https</code>" URI that does not include a path
                  component; these <span class="bcp14">MUST</span> include a "<code>:path</code>" pseudo-header field with a value
                  of '*' (see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-7.1" class="relref">Section 7.1</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>).<a href="#section-8.3.1-2.4.3.1" class="pilcrow">¶</a>
</li>
                <li class="normal" id="section-8.3.1-2.4.3.2">
                  <span><a href="#CONNECT" class="xref">CONNECT requests</a> (<a href="#CONNECT" class="xref">Section 8.5</a>)</span>, where the "<code>:path</code>" pseudo-header field is omitted.<a href="#section-8.3.1-2.4.3.2" class="pilcrow">¶</a>
</li>
              </ul>
</li>
          </ul>
<p id="section-8.3.1-3">All HTTP/2 requests <span class="bcp14">MUST</span> include exactly one valid value for the "<code>:method</code>",
            "<code>:scheme</code>", and "<code>:path</code>" pseudo-header fields, unless they are <span><a href="#CONNECT" class="xref">CONNECT requests</a> (<a href="#CONNECT" class="xref">Section 8.5</a>)</span>. An HTTP request that omits mandatory
            pseudo-header fields is <span><a href="#malformed" class="xref">malformed</a> (<a href="#malformed" class="xref">Section 8.1.1</a>)</span>.<a href="#section-8.3.1-3" class="pilcrow">¶</a></p>
<p id="section-8.3.1-4">Individual HTTP/2 requests do not carry an explicit indicator of protocol version.
            All HTTP/2 requests implicitly have a protocol version of "2.0" (see
            <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-6.2" class="relref">Section 6.2</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>).<a href="#section-8.3.1-4" class="pilcrow">¶</a></p>
</section>
</div>
<div id="HttpResponse">
<section id="section-8.3.2">
          <h4 id="name-response-pseudo-header-fiel">
<a href="#section-8.3.2" class="section-number selfRef">8.3.2. </a><a href="#name-response-pseudo-header-fiel" class="section-name selfRef">Response Pseudo-Header Fields</a>
          </h4>
<p id="section-8.3.2-1">For HTTP/2 responses, a single "<code>:status</code>" pseudo-header
            field is defined that carries the HTTP status code field (see
            <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-15" class="relref">Section 15</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>). This pseudo-header field <span class="bcp14">MUST</span> be included in all
            responses, including interim responses; otherwise, the response is
            <span><a href="#malformed" class="xref">malformed</a> (<a href="#malformed" class="xref">Section 8.1.1</a>)</span>.<a href="#section-8.3.2-1" class="pilcrow">¶</a></p>
<p id="section-8.3.2-2">HTTP/2 responses implicitly have a protocol version of "2.0".<a href="#section-8.3.2-2" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="PushResources">
<section id="section-8.4">
        <h3 id="name-server-push">
<a href="#section-8.4" class="section-number selfRef">8.4. </a><a href="#name-server-push" class="section-name selfRef">Server Push</a>
        </h3>
<p id="section-8.4-1">HTTP/2 allows a server to preemptively send (or "push") responses (along with
          corresponding "promised" requests) to a client in association with a previous
          client-initiated request.<a href="#section-8.4-1" class="pilcrow">¶</a></p>
<p id="section-8.4-2">Server push was designed to allow a server to improve client-perceived performance by
          predicting what requests will follow those that it receives, thereby removing a round
          trip for them. For example, a request for HTML is often followed by requests
          for stylesheets and scripts referenced by that page. When these requests
          are pushed, the client does not need to wait to receive the references to them in the HTML
          and issue separate requests.<a href="#section-8.4-2" class="pilcrow">¶</a></p>
<p id="section-8.4-3">In practice, server push is difficult to use effectively, because it requires the
          server to correctly anticipate the additional requests the client will make, taking into
          account factors such as caching, content negotiation, and user behavior. Errors in
          prediction can lead to performance degradation, due to the opportunity cost that the
          additional data on the wire represents. In particular, pushing any significant amount of
          data can cause contention issues with responses that are more important.<a href="#section-8.4-3" class="pilcrow">¶</a></p>
<p id="section-8.4-4">A client can request that server push be disabled, though this is negotiated for each hop
          independently. The <a href="#SETTINGS_ENABLE_PUSH" class="xref">SETTINGS_ENABLE_PUSH</a> setting can be set to 0 to indicate that server
          push is disabled.<a href="#section-8.4-4" class="pilcrow">¶</a></p>
<p id="section-8.4-5">Promised requests <span class="bcp14">MUST</span> be safe (see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-9.2.1" class="relref">Section 9.2.1</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>) and cacheable
          (see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-9.2.3" class="relref">Section 9.2.3</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>). Promised requests cannot include any content
          or a trailer section. Clients that receive a promised request that is not cacheable, that
          is not known to be safe, or that indicates the presence of request content <span class="bcp14">MUST</span> reset the
          promised stream with a <span><a href="#StreamErrorHandler" class="xref">stream error</a> (<a href="#StreamErrorHandler" class="xref">Section 5.4.2</a>)</span> of type
          <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>. Note that this could result
          in the promised stream being reset if the client does not recognize a newly defined
          method as being safe.<a href="#section-8.4-5" class="pilcrow">¶</a></p>
<p id="section-8.4-6">Pushed responses that are cacheable (see <span><a href="https://www.rfc-editor.org/rfc/rfc9111#section-3" class="relref">Section 3</a> of [<a href="#RFC9111" class="xref">CACHING</a>]</span>) can be
          stored by the client, if it implements an HTTP cache. Pushed responses are considered
          successfully validated on the origin server (e.g., if the "no-cache" cache response
          directive is present; see <span><a href="https://www.rfc-editor.org/rfc/rfc9111#section-5.2.2.4" class="relref">Section 5.2.2.4</a> of [<a href="#RFC9111" class="xref">CACHING</a>]</span>) while the stream
          identified by the promised stream identifier is still open.<a href="#section-8.4-6" class="pilcrow">¶</a></p>
<p id="section-8.4-7">Pushed responses that are not cacheable <span class="bcp14">MUST NOT</span> be stored by any HTTP cache. They <span class="bcp14">MAY</span>
          be made available to the application separately.<a href="#section-8.4-7" class="pilcrow">¶</a></p>
<p id="section-8.4-8">The server <span class="bcp14">MUST</span> include a value in the "<code>:authority</code>" pseudo-header field for which
          the server is authoritative (see <a href="#authority" class="xref">Section 10.1</a>). A client <span class="bcp14">MUST</span> treat a <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> for which the server is not
          authoritative as a <span><a href="#StreamErrorHandler" class="xref">stream error</a> (<a href="#StreamErrorHandler" class="xref">Section 5.4.2</a>)</span> of type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-8.4-8" class="pilcrow">¶</a></p>
<p id="section-8.4-9">An intermediary can receive pushes from the server and choose not to forward them on to
          the client. In other words, how to make use of the pushed information is up to that
          intermediary. Equally, the intermediary might choose to make additional pushes to the
          client, without any action taken by the server.<a href="#section-8.4-9" class="pilcrow">¶</a></p>
<p id="section-8.4-10">A client cannot push. Thus, servers <span class="bcp14">MUST</span> treat the receipt of a <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>. A server cannot set the
          <a href="#SETTINGS_ENABLE_PUSH" class="xref">SETTINGS_ENABLE_PUSH</a> setting to
          a value other than 0 (see <a href="#SettingValues" class="xref">Section 6.5.2</a>).<a href="#section-8.4-10" class="pilcrow">¶</a></p>
<div id="PushRequests">
<section id="section-8.4.1">
          <h4 id="name-push-requests">
<a href="#section-8.4.1" class="section-number selfRef">8.4.1. </a><a href="#name-push-requests" class="section-name selfRef">Push Requests</a>
          </h4>
<p id="section-8.4.1-1">Server push is semantically equivalent to a server responding to a request; however, in
            this case, that request is also sent by the server, as a <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a>
            frame.<a href="#section-8.4.1-1" class="pilcrow">¶</a></p>
<p id="section-8.4.1-2">The <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame includes a
            field block that contains control data and a complete
            set of request header fields that the server attributes to the request. It is not
            possible to push a response to a request that includes message content.<a href="#section-8.4.1-2" class="pilcrow">¶</a></p>
<p id="section-8.4.1-3">Promised requests are always associated with an explicit request from the client. The
            <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frames sent by the server are sent on that explicit
            request's stream. The <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame also includes a promised stream
            identifier, chosen from the stream identifiers available to the server (see <a href="#StreamIdentifiers" class="xref">Section 5.1.1</a>).<a href="#section-8.4.1-3" class="pilcrow">¶</a></p>
<p id="section-8.4.1-4">The header fields in <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> and
            any subsequent <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames <span class="bcp14">MUST</span>
            be a valid and complete set of <span><a href="#HttpRequest" class="xref">request header
            fields</a> (<a href="#HttpRequest" class="xref">Section 8.3.1</a>)</span>. The server <span class="bcp14">MUST</span> include a method in the "<code>:method</code>" pseudo-header
            field that is safe and cacheable. If a client receives a <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> that does not include a complete and valid set of
            header fields or the "<code>:method</code>" pseudo-header field identifies a method that is
            not safe, it <span class="bcp14">MUST</span> respond on the promised stream with a <span><a href="#StreamErrorHandler" class="xref">stream error</a> (<a href="#StreamErrorHandler" class="xref">Section 5.4.2</a>)</span> of type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-8.4.1-4" class="pilcrow">¶</a></p>
<p id="section-8.4.1-5">The server <span class="bcp14">SHOULD</span> send <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a>
            (<a href="#PUSH_PROMISE" class="xref">Section 6.6</a>) frames prior to sending any frames that reference the
            promised responses. This avoids a race where clients issue requests prior to receiving
            any <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frames.<a href="#section-8.4.1-5" class="pilcrow">¶</a></p>
<p id="section-8.4.1-6">For example, if the server receives a request for a document containing embedded links
            to multiple image files and the server chooses to push those additional images to the
            client, sending <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frames
            before the <a href="#DATA" class="xref">DATA</a> frames that contain the image
            links ensures that the client is able to see that a resource will be pushed before
            discovering embedded links. Similarly, if the server pushes resources referenced by the
            field block (for instance, in Link header fields), sending a <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> before sending the header
            ensures that clients do not request those resources.<a href="#section-8.4.1-6" class="pilcrow">¶</a></p>
<p id="section-8.4.1-7"><a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frames <span class="bcp14">MUST NOT</span> be sent by the client.<a href="#section-8.4.1-7" class="pilcrow">¶</a></p>
<p id="section-8.4.1-8"><a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frames can be sent by the server on any
            client-initiated stream, but the stream <span class="bcp14">MUST</span> be in either the "open" or "half-closed
            (remote)" state with respect to the server.  <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frames are
            interspersed with the frames that comprise a response, though they cannot be
            interspersed with <a href="#HEADERS" class="xref">HEADERS</a> and <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames that
            comprise a single field block.<a href="#section-8.4.1-8" class="pilcrow">¶</a></p>
<p id="section-8.4.1-9">Sending a <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame creates a new stream and puts the stream
            into the "reserved (local)" state for the server and the "reserved (remote)" state for
            the client.<a href="#section-8.4.1-9" class="pilcrow">¶</a></p>
</section>
</div>
<div id="PushResponses">
<section id="section-8.4.2">
          <h4 id="name-push-responses">
<a href="#section-8.4.2" class="section-number selfRef">8.4.2. </a><a href="#name-push-responses" class="section-name selfRef">Push Responses</a>
          </h4>
<p id="section-8.4.2-1">After sending the <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame,
            the server can begin delivering the pushed response as a <span><a href="#HttpResponse" class="xref">response</a> (<a href="#HttpResponse" class="xref">Section 8.3.2</a>)</span> on a server-initiated stream that uses the
            promised stream identifier. The server uses this stream to transmit an HTTP response,
            using the same sequence of frames as that defined in <a href="#HttpFraming" class="xref">Section 8.1</a>. This
            stream becomes <span><a href="#StreamStates" class="xref">"half-closed" to the client</a> (<a href="#StreamStates" class="xref">Section 5.1</a>)</span> after the
            initial <a href="#HEADERS" class="xref">HEADERS</a> frame is sent.<a href="#section-8.4.2-1" class="pilcrow">¶</a></p>
<p id="section-8.4.2-2">Once a client receives a <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame and chooses to accept the
            pushed response, the client <span class="bcp14">SHOULD NOT</span> issue any requests for the promised response
            until after the promised stream has closed.<a href="#section-8.4.2-2" class="pilcrow">¶</a></p>
<p id="section-8.4.2-3">If the client determines, for any reason, that it does not wish to receive the pushed
            response from the server or if the server takes too long to begin sending the promised
            response, the client can send a <a href="#RST_STREAM" class="xref">RST_STREAM</a> frame, using either the <a href="#CANCEL" class="xref">CANCEL</a> or <a href="#REFUSED_STREAM" class="xref">REFUSED_STREAM</a> code and referencing the pushed stream's identifier.<a href="#section-8.4.2-3" class="pilcrow">¶</a></p>
<p id="section-8.4.2-4">A client can use the <a href="#SETTINGS_MAX_CONCURRENT_STREAMS" class="xref">SETTINGS_MAX_CONCURRENT_STREAMS</a> setting to limit the number of
            responses that can be concurrently pushed by a server. Advertising a <a href="#SETTINGS_MAX_CONCURRENT_STREAMS" class="xref">SETTINGS_MAX_CONCURRENT_STREAMS</a> value of zero prevents the server
            from opening the streams necessary to push responses. However, this does not prevent the
            server from reserving streams using <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frames, because reserved streams do not count toward
            the concurrent stream limit. Clients that do not wish to receive pushed resources need
            to reset any unwanted reserved streams or set <a href="#SETTINGS_ENABLE_PUSH" class="xref">SETTINGS_ENABLE_PUSH</a> to 0.<a href="#section-8.4.2-4" class="pilcrow">¶</a></p>
<p id="section-8.4.2-5">Clients receiving a pushed response <span class="bcp14">MUST</span> validate that either the server is
            authoritative (see <a href="#authority" class="xref">Section 10.1</a>) or the proxy that provided the pushed
            response is configured for the corresponding request. For example, a server that offers
            a certificate for only the <code>example.com</code> DNS-ID (see <span>[<a href="#RFC6125" class="xref">RFC6125</a>]</span>)
            is not permitted to push a response for &lt;<code>https://www.example.org/doc</code>&gt;.<a href="#section-8.4.2-5" class="pilcrow">¶</a></p>
<p id="section-8.4.2-6">The response for a <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> stream begins with a
            <a href="#HEADERS" class="xref">HEADERS</a> frame, which immediately puts the stream into the "half-closed
            (remote)" state for the server and "half-closed (local)" state for the client, and ends
            with a frame with the END_STREAM flag set, which places the stream in the "closed" state.<a href="#section-8.4.2-6" class="pilcrow">¶</a></p>
<aside id="section-8.4.2-7">
            <p id="section-8.4.2-7.1">Note:
              The client never sends a frame with the END_STREAM flag set for a server push.<a href="#section-8.4.2-7.1" class="pilcrow">¶</a></p>
</aside>
</section>
</div>
</section>
</div>
<div id="CONNECT">
<section id="section-8.5">
        <h3 id="name-the-connect-method">
<a href="#section-8.5" class="section-number selfRef">8.5. </a><a href="#name-the-connect-method" class="section-name selfRef">The CONNECT Method</a>
        </h3>
<p id="section-8.5-1">The CONNECT method (<span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-9.3.6" class="relref">Section 9.3.6</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>) is
          used to convert an HTTP connection into a tunnel to a remote host.
          CONNECT is primarily used with HTTP proxies to establish a TLS session with an origin
          server for the purposes of interacting with "<code>https</code>" resources.<a href="#section-8.5-1" class="pilcrow">¶</a></p>
<p id="section-8.5-2">In HTTP/2, the CONNECT method establishes a tunnel over a single HTTP/2 stream to a
          remote host, rather than converting the entire connection to a tunnel. A CONNECT header
          section is constructed as defined in <a href="#HttpRequest" class="xref">Section 8.3.1</a> ("<a href="#HttpRequest" class="xref">Request Pseudo-Header Fields</a>"), with a few differences. Specifically:<a href="#section-8.5-2" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-8.5-3.1">The "<code>:method</code>" pseudo-header field is set to <code>CONNECT</code>.<a href="#section-8.5-3.1" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-8.5-3.2">The "<code>:scheme</code>" and "<code>:path</code>" pseudo-header
              fields <span class="bcp14">MUST</span> be omitted.<a href="#section-8.5-3.2" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-8.5-3.3">The "<code>:authority</code>" pseudo-header field contains the host and port to
              connect to (equivalent to the authority-form of the request-target of CONNECT
              requests; see <span><a href="https://www.rfc-editor.org/rfc/rfc9112#section-3.2.3" class="relref">Section 3.2.3</a> of [<a href="#RFC9112" class="xref">HTTP/1.1</a>]</span>).<a href="#section-8.5-3.3" class="pilcrow">¶</a>
</li>
        </ul>
<p id="section-8.5-4">A CONNECT request that does not conform to these restrictions is <span><a href="#malformed" class="xref">malformed</a> (<a href="#malformed" class="xref">Section 8.1.1</a>)</span>.<a href="#section-8.5-4" class="pilcrow">¶</a></p>
<p id="section-8.5-5">A proxy that supports CONNECT establishes a <span><a href="#RFC0793" class="xref">TCP connection</a> [<a href="#RFC0793" class="xref">TCP</a>]</span> to
          the host and port identified in the "<code>:authority</code>" pseudo-header field. Once
          this connection is successfully established, the proxy sends a <a href="#HEADERS" class="xref">HEADERS</a>
          frame containing a 2xx-series status code to the client, as defined in <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-9.3.6" class="relref">Section 9.3.6</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>.<a href="#section-8.5-5" class="pilcrow">¶</a></p>
<p id="section-8.5-6">After the initial <a href="#HEADERS" class="xref">HEADERS</a> frame sent by each
          peer, all subsequent <a href="#DATA" class="xref">DATA</a> frames correspond to
          data sent on the TCP connection. The frame payload of any <a href="#DATA" class="xref">DATA</a> frames sent by the client is transmitted by the proxy to the
          TCP server; data received from the TCP server is assembled into <a href="#DATA" class="xref">DATA</a> frames by the proxy. Frame types other than <a href="#DATA" class="xref">DATA</a> or stream management frames (<a href="#RST_STREAM" class="xref">RST_STREAM</a>, <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a>, and <a href="#PRIORITY" class="xref">PRIORITY</a>) <span class="bcp14">MUST NOT</span> be sent on a connected stream and <span class="bcp14">MUST</span> be treated
          as a <span><a href="#StreamErrorHandler" class="xref">stream error</a> (<a href="#StreamErrorHandler" class="xref">Section 5.4.2</a>)</span> if received.<a href="#section-8.5-6" class="pilcrow">¶</a></p>
<p id="section-8.5-7">The TCP connection can be closed by either peer.  The END_STREAM flag on a
          <a href="#DATA" class="xref">DATA</a> frame is treated as being equivalent to the TCP FIN bit.  A client is
          expected to send a <a href="#DATA" class="xref">DATA</a> frame with the END_STREAM flag set after receiving
          a frame with the END_STREAM flag set.  A proxy that receives a <a href="#DATA" class="xref">DATA</a> frame
          with the END_STREAM flag set sends the attached data with the FIN bit set on the last TCP
          segment.  A proxy that receives a TCP segment with the FIN bit set sends a
          <a href="#DATA" class="xref">DATA</a> frame with the END_STREAM flag set.  Note that the final TCP segment
          or <a href="#DATA" class="xref">DATA</a> frame could be empty.<a href="#section-8.5-7" class="pilcrow">¶</a></p>
<p id="section-8.5-8">A TCP connection error is signaled with <a href="#RST_STREAM" class="xref">RST_STREAM</a>.  A proxy treats any
          error in the TCP connection, which includes receiving a TCP segment with the RST bit set,
          as a <span><a href="#StreamErrorHandler" class="xref">stream error</a> (<a href="#StreamErrorHandler" class="xref">Section 5.4.2</a>)</span> of type
          <a href="#CONNECT_ERROR" class="xref">CONNECT_ERROR</a>.  Correspondingly, a proxy <span class="bcp14">MUST</span> send a TCP segment with the
          RST bit set if it detects an error with the stream or the HTTP/2 connection.<a href="#section-8.5-8" class="pilcrow">¶</a></p>
</section>
</div>
<div id="informational-responses">
<section id="section-8.6">
        <h3 id="name-the-upgrade-header-field">
<a href="#section-8.6" class="section-number selfRef">8.6. </a><a href="#name-the-upgrade-header-field" class="section-name selfRef">The Upgrade Header Field</a>
        </h3>
<p id="section-8.6-1">HTTP/2 does not support the 101 (Switching Protocols) informational status code
          (<span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-15.2.2" class="relref">Section 15.2.2</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>).<a href="#section-8.6-1" class="pilcrow">¶</a></p>
<p id="section-8.6-2">The semantics of 101 (Switching Protocols) aren't applicable to a multiplexed protocol.
          Similar functionality might be enabled through the use of <span><a href="#RFC8441" class="xref">extended
          CONNECT</a> [<a href="#RFC8441" class="xref">RFC8441</a>]</span>, and other protocols are able to use the same mechanisms that HTTP/2 uses to
          negotiate their use (see <a href="#starting" class="xref">Section 3</a>).<a href="#section-8.6-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="Reliability">
<section id="section-8.7">
        <h3 id="name-request-reliability">
<a href="#section-8.7" class="section-number selfRef">8.7. </a><a href="#name-request-reliability" class="section-name selfRef">Request Reliability</a>
        </h3>
<p id="section-8.7-1">In general, an HTTP client is unable to retry a non-idempotent request when an error
          occurs because there is no means to determine the nature of the error (see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-9.2.2" class="relref">Section 9.2.2</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>).  It is possible
          that some server processing occurred prior to the error, which could result in
          undesirable effects if the request were reattempted.<a href="#section-8.7-1" class="pilcrow">¶</a></p>
<p id="section-8.7-2">HTTP/2 provides two mechanisms for providing a guarantee to a client that a request has
          not been processed:<a href="#section-8.7-2" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-8.7-3.1">The <a href="#GOAWAY" class="xref">GOAWAY</a> frame indicates the highest stream number that might have
              been processed.  Requests on streams with higher numbers are therefore guaranteed to
              be safe to retry.<a href="#section-8.7-3.1" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-8.7-3.2">The <a href="#REFUSED_STREAM" class="xref">REFUSED_STREAM</a> error code can be included in a
              <a href="#RST_STREAM" class="xref">RST_STREAM</a> frame to indicate that the stream is being closed prior to
              any processing having occurred.  Any request that was sent on the reset stream can
              be safely retried.<a href="#section-8.7-3.2" class="pilcrow">¶</a>
</li>
        </ul>
<p id="section-8.7-4">Requests that have not been processed have not failed; clients <span class="bcp14">MAY</span> automatically retry
          them, even those with non-idempotent methods.<a href="#section-8.7-4" class="pilcrow">¶</a></p>
<p id="section-8.7-5">A server <span class="bcp14">MUST NOT</span> indicate that a stream has not been processed unless it can guarantee
          that fact.  If frames that are on a stream are passed to the application layer for any
          stream, then <a href="#REFUSED_STREAM" class="xref">REFUSED_STREAM</a> <span class="bcp14">MUST NOT</span> be used for that stream, and a
          <a href="#GOAWAY" class="xref">GOAWAY</a> frame <span class="bcp14">MUST</span> include a stream identifier that is greater than or
          equal to the given stream identifier.<a href="#section-8.7-5" class="pilcrow">¶</a></p>
<p id="section-8.7-6">In addition to these mechanisms, the <a href="#PING" class="xref">PING</a> frame provides a way for a
          client to easily test a connection.  Connections that remain idle can become broken, because
          some middleboxes (for instance, network address translators or load balancers) silently
          discard connection bindings.  The <a href="#PING" class="xref">PING</a> frame allows a client to safely
          test whether a connection is still active without sending a request.<a href="#section-8.7-6" class="pilcrow">¶</a></p>
</section>
</div>
<div id="HttpExamples">
<section id="section-8.8">
        <h3 id="name-examples">
<a href="#section-8.8" class="section-number selfRef">8.8. </a><a href="#name-examples" class="section-name selfRef">Examples</a>
        </h3>
<p id="section-8.8-1">This section shows HTTP/1.1 requests and responses, with illustrations of equivalent
            HTTP/2 requests and responses.<a href="#section-8.8-1" class="pilcrow">¶</a></p>
<section id="section-8.8.1">
          <h4 id="name-simple-request">
<a href="#section-8.8.1" class="section-number selfRef">8.8.1. </a><a href="#name-simple-request" class="section-name selfRef">Simple Request</a>
          </h4>
<p id="section-8.8.1-1">An HTTP GET request includes control data and a request header with no message content and is therefore
            transmitted as a single <a href="#HEADERS" class="xref">HEADERS</a> frame, followed by zero or more
            <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames containing the serialized block of request header
            fields.  The <a href="#HEADERS" class="xref">HEADERS</a> frame in the following has both the END_HEADERS and
            END_STREAM flags set; no <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames are sent.<a href="#section-8.8.1-1" class="pilcrow">¶</a></p>
<div class="alignLeft art-inline art-text artwork" id="section-8.8.1-2">
<pre>
  GET /resource HTTP/1.1           HEADERS
  Host: example.org          ==&gt;     + END_STREAM
  Accept: image/jpeg                 + END_HEADERS
                                       :method = GET
                                       :scheme = https
                                       :authority = example.org
                                       :path = /resource
                                       host = example.org
                                       accept = image/jpeg
</pre><a href="#section-8.8.1-2" class="pilcrow">¶</a>
</div>
</section>
<section id="section-8.8.2">
          <h4 id="name-simple-response">
<a href="#section-8.8.2" class="section-number selfRef">8.8.2. </a><a href="#name-simple-response" class="section-name selfRef">Simple Response</a>
          </h4>
<p id="section-8.8.2-1">Similarly, a response that includes only control data and a response header is transmitted as a
            <a href="#HEADERS" class="xref">HEADERS</a> frame (again, followed by zero or more
            <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames) containing the serialized block of response header
            fields.<a href="#section-8.8.2-1" class="pilcrow">¶</a></p>
<div class="alignLeft art-inline art-text artwork" id="section-8.8.2-2">
<pre>
  HTTP/1.1 304 Not Modified        HEADERS
  ETag: "xyzzy"              ==&gt;     + END_STREAM
  Expires: Thu, 23 Jan ...           + END_HEADERS
                                       :status = 304
                                       etag = "xyzzy"
                                       expires = Thu, 23 Jan ...
</pre><a href="#section-8.8.2-2" class="pilcrow">¶</a>
</div>
</section>
<section id="section-8.8.3">
          <h4 id="name-complex-request">
<a href="#section-8.8.3" class="section-number selfRef">8.8.3. </a><a href="#name-complex-request" class="section-name selfRef">Complex Request</a>
          </h4>
<p id="section-8.8.3-1">An HTTP POST request that includes control data and a request header with message content is transmitted
            as one <a href="#HEADERS" class="xref">HEADERS</a> frame, followed by zero or more
            <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames containing the request header, followed by one
            or more <a href="#DATA" class="xref">DATA</a> frames, with the last <a href="#CONTINUATION" class="xref">CONTINUATION</a> (or
            <a href="#HEADERS" class="xref">HEADERS</a>) frame having the END_HEADERS flag set and the final
            <a href="#DATA" class="xref">DATA</a> frame having the END_STREAM flag set:<a href="#section-8.8.3-1" class="pilcrow">¶</a></p>
<div class="alignLeft art-inline art-text artwork" id="section-8.8.3-2">
<pre>
  POST /resource HTTP/1.1          HEADERS
  Host: example.org          ==&gt;     - END_STREAM
  Content-Type: image/jpeg           - END_HEADERS
  Content-Length: 123                  :method = POST
                                       :authority = example.org
                                       :path = /resource
  {binary data}                        :scheme = https

                                   CONTINUATION
                                     + END_HEADERS
                                       content-type = image/jpeg
                                       host = example.org
                                       content-length = 123

                                   DATA
                                     + END_STREAM
                                   {binary data}
</pre><a href="#section-8.8.3-2" class="pilcrow">¶</a>
</div>
<p id="section-8.8.3-3" class="keepWithPrevious">Note that data contributing to any given field line could be spread between field
              block fragments.  The allocation of field lines to frames in this example is
              illustrative only.<a href="#section-8.8.3-3" class="pilcrow">¶</a></p>
</section>
<section id="section-8.8.4">
          <h4 id="name-response-with-body">
<a href="#section-8.8.4" class="section-number selfRef">8.8.4. </a><a href="#name-response-with-body" class="section-name selfRef">Response with Body</a>
          </h4>
<p id="section-8.8.4-1">A response that includes control data and a response header with message content is
            transmitted as a <a href="#HEADERS" class="xref">HEADERS</a> frame, followed by
            zero or more <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames,
            followed by one or more <a href="#DATA" class="xref">DATA</a> frames, with the
            last <a href="#DATA" class="xref">DATA</a> frame in the sequence having the
            END_STREAM flag set:<a href="#section-8.8.4-1" class="pilcrow">¶</a></p>
<div class="alignLeft art-inline art-text artwork" id="section-8.8.4-2">
<pre>
  HTTP/1.1 200 OK                  HEADERS
  Content-Type: image/jpeg   ==&gt;     - END_STREAM
  Content-Length: 123                + END_HEADERS
                                       :status = 200
  {binary data}                        content-type = image/jpeg
                                       content-length = 123

                                   DATA
                                     + END_STREAM
                                   {binary data}
</pre><a href="#section-8.8.4-2" class="pilcrow">¶</a>
</div>
</section>
<section id="section-8.8.5">
          <h4 id="name-informational-responses">
<a href="#section-8.8.5" class="section-number selfRef">8.8.5. </a><a href="#name-informational-responses" class="section-name selfRef">Informational Responses</a>
          </h4>
<p id="section-8.8.5-1">An informational response using a 1xx status code other than 101 is transmitted as a
            <a href="#HEADERS" class="xref">HEADERS</a> frame, followed by zero or more
            <a href="#CONTINUATION" class="xref">CONTINUATION</a> frames.<a href="#section-8.8.5-1" class="pilcrow">¶</a></p>
<p id="section-8.8.5-2">A trailer section is sent as a field block after both the request or response
            field block and all the <a href="#DATA" class="xref">DATA</a> frames have been sent.  The
            <a href="#HEADERS" class="xref">HEADERS</a> frame starting the field block that comprises
            the trailer section has the END_STREAM flag set.<a href="#section-8.8.5-2" class="pilcrow">¶</a></p>
<p id="section-8.8.5-3" class="keepWithNext">The following example includes both a 100 (Continue) status code, which is sent in
              response to a request containing a "100-continue" token in the Expect header field,
              and a trailer section:<a href="#section-8.8.5-3" class="pilcrow">¶</a></p>
<div class="alignLeft art-inline art-text artwork" id="section-8.8.5-4">
<pre>
  HTTP/1.1 100 Continue            HEADERS
  Extension-Field: bar       ==&gt;     - END_STREAM
                                     + END_HEADERS
                                       :status = 100
                                       extension-field = bar

  HTTP/1.1 200 OK                  HEADERS
  Content-Type: image/jpeg   ==&gt;     - END_STREAM
  Transfer-Encoding: chunked         + END_HEADERS
  Trailer: Foo                         :status = 200
                                       content-type = image/jpeg
  123                                  trailer = Foo
  {binary data}
  0                                DATA
  Foo: bar                           - END_STREAM
                                   {binary data}

                                   HEADERS
                                     + END_STREAM
                                     + END_HEADERS
                                       foo = bar
</pre><a href="#section-8.8.5-4" class="pilcrow">¶</a>
</div>
</section>
</section>
</div>
</section>
</div>
<div id="HttpExtra">
<section id="section-9">
      <h2 id="name-http-2-connections">
<a href="#section-9" class="section-number selfRef">9. </a><a href="#name-http-2-connections" class="section-name selfRef">HTTP/2 Connections</a>
      </h2>
<p id="section-9-1">This section outlines attributes of HTTP that improve interoperability, reduce exposure to
        known security vulnerabilities, or reduce the potential for implementation variation.<a href="#section-9-1" class="pilcrow">¶</a></p>
<section id="section-9.1">
        <h3 id="name-connection-management">
<a href="#section-9.1" class="section-number selfRef">9.1. </a><a href="#name-connection-management" class="section-name selfRef">Connection Management</a>
        </h3>
<p id="section-9.1-1">HTTP/2 connections are persistent.  For best performance, it is expected that clients will not
          close connections until it is determined that no further communication with a server is
          necessary (for example, when a user navigates away from a particular web page) or until
          the server closes the connection.<a href="#section-9.1-1" class="pilcrow">¶</a></p>
<p id="section-9.1-2">Clients <span class="bcp14">SHOULD NOT</span> open more than one HTTP/2 connection to a given host and port pair,
          where the host is derived from a URI, a selected <span><a href="#RFC7838" class="xref">alternative
          service</a> [<a href="#RFC7838" class="xref">ALT-SVC</a>]</span>, or a configured proxy.<a href="#section-9.1-2" class="pilcrow">¶</a></p>
<p id="section-9.1-3">A client can create additional connections as replacements, either to replace connections
          that are near to exhausting the available <span><a href="#StreamIdentifiers" class="xref">stream
          identifier space</a> (<a href="#StreamIdentifiers" class="xref">Section 5.1.1</a>)</span>, to refresh the keying material for a TLS connection, or to
          replace connections that have encountered <span><a href="#ConnectionErrorHandler" class="xref">errors</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span>.<a href="#section-9.1-3" class="pilcrow">¶</a></p>
<p id="section-9.1-4">A client <span class="bcp14">MAY</span> open multiple connections to the same IP address and TCP port using different
          <span><a href="#RFC6066" class="xref">Server Name Indication</a> [<a href="#RFC6066" class="xref">TLS-EXT</a>]</span> values or to provide different TLS
          client certificates but <span class="bcp14">SHOULD</span> avoid creating multiple connections with the same
          configuration.<a href="#section-9.1-4" class="pilcrow">¶</a></p>
<p id="section-9.1-5">Servers are encouraged to maintain open connections for as long as possible but are
          permitted to terminate idle connections if necessary.  When either endpoint chooses to
          close the transport-layer TCP connection, the terminating endpoint <span class="bcp14">SHOULD</span> first send a
          <a href="#GOAWAY" class="xref">GOAWAY</a> (<a href="#GOAWAY" class="xref">Section 6.8</a>) frame so that both endpoints can reliably
          determine whether previously sent frames have been processed and gracefully complete or
          terminate any necessary remaining tasks.<a href="#section-9.1-5" class="pilcrow">¶</a></p>
<div id="reuse">
<section id="section-9.1.1">
          <h4 id="name-connection-reuse">
<a href="#section-9.1.1" class="section-number selfRef">9.1.1. </a><a href="#name-connection-reuse" class="section-name selfRef">Connection Reuse</a>
          </h4>
<p id="section-9.1.1-1">Connections that are made to an origin server, either directly or through a tunnel
            created using the <span><a href="#CONNECT" class="xref">CONNECT method</a> (<a href="#CONNECT" class="xref">Section 8.5</a>)</span>, <span class="bcp14">MAY</span> be reused for
            requests with multiple different URI authority components.  A connection can be reused
            as long as the origin server is <span><a href="#authority" class="xref">authoritative</a> (<a href="#authority" class="xref">Section 10.1</a>)</span>.  For TCP
            connections without TLS, this depends on the host having resolved to the same IP
            address.<a href="#section-9.1.1-1" class="pilcrow">¶</a></p>
<p id="section-9.1.1-2">For "<code>https</code>" resources, connection reuse additionally depends
            on having a certificate that is valid for the host in the URI.  The certificate
            presented by the server <span class="bcp14">MUST</span> satisfy any checks that the client would perform when
            forming a new TLS connection for the host in the URI.  A single certificate can be
            used to establish authority for multiple origins.  <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-4.3" class="relref">Section 4.3</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>
            describes how a client determines whether a server is authoritative for a URI.<a href="#section-9.1.1-2" class="pilcrow">¶</a></p>
<p id="section-9.1.1-3">In some deployments, reusing a connection for multiple origins can result in requests
            being directed to the wrong origin server.  For example, TLS termination might be
            performed by a middlebox that uses the TLS <span><a href="#RFC6066" class="xref">Server Name
            Indication</a> [<a href="#RFC6066" class="xref">TLS-EXT</a>]</span> extension to select an origin server.  This means that it is possible
            for clients to send requests to servers that might not be the intended target for the
            request, even though the server is otherwise authoritative.<a href="#section-9.1.1-3" class="pilcrow">¶</a></p>
<p id="section-9.1.1-4">A server that does not wish clients to reuse connections can indicate that it is not
            authoritative for a request by sending a 421 (Misdirected Request) status code in response
            to the request (see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-15.5.20" class="relref">Section 15.5.20</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>).<a href="#section-9.1.1-4" class="pilcrow">¶</a></p>
<p id="section-9.1.1-5">A client that is configured to use a proxy over HTTP/2 directs requests to that proxy
            through a single connection.  That is, all requests sent via a proxy reuse the
            connection to the proxy.<a href="#section-9.1.1-5" class="pilcrow">¶</a></p>
</section>
</div>
</section>
<div id="TLSUsage">
<section id="section-9.2">
        <h3 id="name-use-of-tls-features">
<a href="#section-9.2" class="section-number selfRef">9.2. </a><a href="#name-use-of-tls-features" class="section-name selfRef">Use of TLS Features</a>
        </h3>
<p id="section-9.2-1">Implementations of HTTP/2 <span class="bcp14">MUST</span> use <span><a href="#RFC5246" class="xref">TLS version 1.2</a> [<a href="#RFC5246" class="xref">TLS12</a>]</span> or higher
          for HTTP/2 over TLS.  The general TLS usage guidance in <span>[<a href="#RFC7525" class="xref">TLSBCP</a>]</span> <span class="bcp14">SHOULD</span> be
          followed, with some additional restrictions that are specific to HTTP/2.<a href="#section-9.2-1" class="pilcrow">¶</a></p>
<p id="section-9.2-2">The TLS implementation <span class="bcp14">MUST</span> support the <span><a href="#RFC6066" class="xref">Server Name Indication
          (SNI)</a> [<a href="#RFC6066" class="xref">TLS-EXT</a>]</span> extension to TLS. If the server is identified by a <span><a href="#RFC8499" class="xref">domain name</a> [<a href="#RFC8499" class="xref">DNS-TERMS</a>]</span>, clients <span class="bcp14">MUST</span> send the server_name TLS extension
          unless an alternative mechanism to indicate the target host is used.<a href="#section-9.2-2" class="pilcrow">¶</a></p>
<p id="section-9.2-3">Requirements for deployments of HTTP/2 that negotiate <span><a href="#RFC8446" class="xref">TLS 1.3</a> [<a href="#RFC8446" class="xref">TLS13</a>]</span>
          are included in <a href="#tls13features" class="xref">Section 9.2.3</a>.  Deployments of TLS 1.2 are subject to
          the requirements in Sections <a href="#tls12features" class="xref">9.2.1</a> and <a href="#tls12ciphers" class="xref">9.2.2</a>.
          Implementations are encouraged to provide defaults that comply, but it is recognized that
          deployments are ultimately responsible for compliance.<a href="#section-9.2-3" class="pilcrow">¶</a></p>
<div id="tls12features">
<section id="section-9.2.1">
          <h4 id="name-tls-12-features">
<a href="#section-9.2.1" class="section-number selfRef">9.2.1. </a><a href="#name-tls-12-features" class="section-name selfRef">TLS 1.2 Features</a>
          </h4>
<p id="section-9.2.1-1">This section describes restrictions on the TLS 1.2 feature set that can be used with
            HTTP/2. Due to deployment limitations, it might not be possible to fail TLS negotiation
            when these restrictions are not met. An endpoint <span class="bcp14">MAY</span> immediately terminate an HTTP/2
            connection that does not meet these TLS requirements with a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type <a href="#INADEQUATE_SECURITY" class="xref">INADEQUATE_SECURITY</a>.<a href="#section-9.2.1-1" class="pilcrow">¶</a></p>
<p id="section-9.2.1-2">A deployment of HTTP/2 over TLS 1.2 <span class="bcp14">MUST</span> disable compression. TLS compression can lead
            to the exposure of information that would not otherwise be revealed <span>[<a href="#RFC3749" class="xref">RFC3749</a>]</span>. Generic compression is unnecessary, since HTTP/2 provides
            compression features that are more aware of context and therefore likely to be more
            appropriate for use for performance, security, or other reasons.<a href="#section-9.2.1-2" class="pilcrow">¶</a></p>
<p id="section-9.2.1-3">A deployment of HTTP/2 over TLS 1.2 <span class="bcp14">MUST</span> disable renegotiation. An endpoint <span class="bcp14">MUST</span> treat
            a TLS renegotiation as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span>
            of type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>. Note that
            disabling renegotiation can result in long-lived connections becoming unusable due to
            limits on the number of messages the underlying cipher suite can encipher.<a href="#section-9.2.1-3" class="pilcrow">¶</a></p>
<p id="section-9.2.1-4">An endpoint <span class="bcp14">MAY</span> use renegotiation to provide confidentiality protection for client
            credentials offered in the handshake, but any renegotiation <span class="bcp14">MUST</span> occur prior to sending
            the connection preface.  A server <span class="bcp14">SHOULD</span> request a client certificate if it sees a
            renegotiation request immediately after establishing a connection.<a href="#section-9.2.1-4" class="pilcrow">¶</a></p>
<p id="section-9.2.1-5">This effectively prevents the use of renegotiation in response to a request for a
            specific protected resource.  A future specification might provide a way to support this
            use case. Alternatively, a server might use an <span><a href="#ErrorHandler" class="xref">error</a> (<a href="#ErrorHandler" class="xref">Section 5.4</a>)</span> of type <a href="#HTTP_1_1_REQUIRED" class="xref">HTTP_1_1_REQUIRED</a> to request that the client
            use a protocol that supports renegotiation.<a href="#section-9.2.1-5" class="pilcrow">¶</a></p>
<p id="section-9.2.1-6">Implementations <span class="bcp14">MUST</span> support ephemeral key exchange sizes of at least 2048 bits for
            cipher suites that use ephemeral finite field Diffie-Hellman (DHE) (<span><a href="https://www.rfc-editor.org/rfc/rfc5246#section-8.1.2" class="relref">Section 8.1.2</a> of [<a href="#RFC5246" class="xref">TLS12</a>]</span>) and 224 bits for cipher suites that use ephemeral elliptic curve
            Diffie-Hellman (ECDHE) <span>[<a href="#RFC8422" class="xref">RFC8422</a>]</span>. Clients <span class="bcp14">MUST</span> accept DHE sizes of up to
            4096 bits. Endpoints <span class="bcp14">MAY</span> treat negotiation of key sizes smaller than the lower limits
            as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type <a href="#INADEQUATE_SECURITY" class="xref">INADEQUATE_SECURITY</a>.<a href="#section-9.2.1-6" class="pilcrow">¶</a></p>
</section>
</div>
<div id="tls12ciphers">
<section id="section-9.2.2">
          <h4 id="name-tls-12-cipher-suites">
<a href="#section-9.2.2" class="section-number selfRef">9.2.2. </a><a href="#name-tls-12-cipher-suites" class="section-name selfRef">TLS 1.2 Cipher Suites</a>
          </h4>
<p id="section-9.2.2-1">A deployment of HTTP/2 over TLS 1.2 <span class="bcp14">SHOULD NOT</span> use any of the prohibited cipher suites listed in <a href="#BadCipherSuites" class="xref">Appendix A</a>.<a href="#section-9.2.2-1" class="pilcrow">¶</a></p>
<p id="section-9.2.2-2">Endpoints <span class="bcp14">MAY</span> choose to generate a <span><a href="#ConnectionErrorHandler" class="xref">connection
            error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type <a href="#INADEQUATE_SECURITY" class="xref">INADEQUATE_SECURITY</a> if one of the prohibited cipher suites is
            negotiated. A deployment that chooses to use a prohibited cipher suite risks triggering
            a connection error unless the set of potential peers is known to accept that cipher
            suite.<a href="#section-9.2.2-2" class="pilcrow">¶</a></p>
<p id="section-9.2.2-3">Implementations <span class="bcp14">MUST NOT</span> generate this error in reaction to the negotiation of a cipher
            suite that is not prohibited.  Consequently, when clients offer a cipher suite
            that is not prohibited, they have to be prepared to use that cipher suite with
            HTTP/2.<a href="#section-9.2.2-3" class="pilcrow">¶</a></p>
<p id="section-9.2.2-4">The list of prohibited cipher suites includes the cipher suite that TLS 1.2 makes
            mandatory, which means that TLS 1.2 deployments could have non-intersecting sets of
            permitted cipher suites.  To avoid this problem, which causes TLS handshake failures,
            deployments of HTTP/2 that use TLS 1.2 <span class="bcp14">MUST</span> support
            TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 <span>[<a href="#RFC5289" class="xref">TLS-ECDHE</a>]</span> with the P-256 elliptic
            curve <span>[<a href="#RFC8422" class="xref">RFC8422</a>]</span>.<a href="#section-9.2.2-4" class="pilcrow">¶</a></p>
<p id="section-9.2.2-5">Note that clients might advertise support of cipher suites that are prohibited in
            order to allow for connection to servers that do not support HTTP/2.  This allows
            servers to select HTTP/1.1 with a cipher suite that is prohibited in HTTP/2.
            However, this can result in HTTP/2 being negotiated with a prohibited cipher suite if
            the application protocol and cipher suite are independently selected.<a href="#section-9.2.2-5" class="pilcrow">¶</a></p>
</section>
</div>
<div id="tls13features">
<section id="section-9.2.3">
          <h4 id="name-tls-13-features">
<a href="#section-9.2.3" class="section-number selfRef">9.2.3. </a><a href="#name-tls-13-features" class="section-name selfRef">TLS 1.3 Features</a>
          </h4>
<p id="section-9.2.3-1">TLS 1.3 includes a number of features not available in earlier versions.  This section
            discusses the use of these features.<a href="#section-9.2.3-1" class="pilcrow">¶</a></p>
<p id="section-9.2.3-2">HTTP/2 servers <span class="bcp14">MUST NOT</span> send post-handshake TLS 1.3 CertificateRequest messages. HTTP/2
            clients <span class="bcp14">MUST</span> treat a TLS post-handshake CertificateRequest message as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type <a href="#PROTOCOL_ERROR" class="xref">PROTOCOL_ERROR</a>.<a href="#section-9.2.3-2" class="pilcrow">¶</a></p>
<p id="section-9.2.3-3">The prohibition on post-handshake authentication applies even if the client offered the
            "post_handshake_auth" TLS extension.  Post-handshake authentication support might be
            advertised independently of <span><a href="#RFC7301" class="xref">ALPN</a> [<a href="#RFC7301" class="xref">TLS-ALPN</a>]</span>.  Clients might offer
            the capability for use in other protocols, but inclusion of the extension cannot imply
            support within HTTP/2.<a href="#section-9.2.3-3" class="pilcrow">¶</a></p>
<p id="section-9.2.3-4"><span>[<a href="#RFC8446" class="xref">TLS13</a>]</span> defines other post-handshake messages, NewSessionTicket and
            KeyUpdate, which can be used as they have no direct interaction with HTTP/2.  Unless the
            use of a new type of TLS message depends on an interaction with the application-layer
            protocol, that TLS message can be sent after the handshake completes.<a href="#section-9.2.3-4" class="pilcrow">¶</a></p>
<p id="section-9.2.3-5">TLS early data <span class="bcp14">MAY</span> be used to send requests, provided that the guidance in <span>[<a href="#RFC8470" class="xref">RFC8470</a>]</span> is observed. Clients send requests in early data assuming initial
            values for all server settings.<a href="#section-9.2.3-5" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
</section>
</div>
<div id="security">
<section id="section-10">
      <h2 id="name-security-considerations">
<a href="#section-10" class="section-number selfRef">10. </a><a href="#name-security-considerations" class="section-name selfRef">Security Considerations</a>
      </h2>
<p id="section-10-1">The use of TLS is necessary to provide many of the security properties of this protocol.
        Many of the claims in this section do not hold unless TLS is used as described in <a href="#TLSUsage" class="xref">Section 9.2</a>.<a href="#section-10-1" class="pilcrow">¶</a></p>
<div id="authority">
<section id="section-10.1">
        <h3 id="name-server-authority">
<a href="#section-10.1" class="section-number selfRef">10.1. </a><a href="#name-server-authority" class="section-name selfRef">Server Authority</a>
        </h3>
<p id="section-10.1-1">HTTP/2 relies on the HTTP definition of authority for determining whether a server is
          authoritative in providing a given response (see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-4.3" class="relref">Section 4.3</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>).
          This relies on local name resolution for the "<code>http</code>" URI scheme and the authenticated server
          identity for the "<code>https</code>" scheme.<a href="#section-10.1-1" class="pilcrow">¶</a></p>
</section>
</div>
<section id="section-10.2">
        <h3 id="name-cross-protocol-attacks">
<a href="#section-10.2" class="section-number selfRef">10.2. </a><a href="#name-cross-protocol-attacks" class="section-name selfRef">Cross-Protocol Attacks</a>
        </h3>
<p id="section-10.2-1">In a cross-protocol attack, an attacker causes a client to initiate a transaction in one
          protocol toward a server that understands a different protocol.  An attacker might be able
          to cause the transaction to appear as a valid transaction in the second protocol.  In
          combination with the capabilities of the web context, this can be used to interact with
          poorly protected servers in private networks.<a href="#section-10.2-1" class="pilcrow">¶</a></p>
<p id="section-10.2-2">Completing a TLS handshake with an ALPN identifier for HTTP/2 can be considered sufficient
          protection against cross-protocol attacks.  ALPN provides a positive indication that a
          server is willing to proceed with HTTP/2, which prevents attacks on other TLS-based
          protocols.<a href="#section-10.2-2" class="pilcrow">¶</a></p>
<p id="section-10.2-3">The encryption in TLS makes it difficult for attackers to control the data that could be
          used in a cross-protocol attack on a cleartext protocol.<a href="#section-10.2-3" class="pilcrow">¶</a></p>
<p id="section-10.2-4">The cleartext version of HTTP/2 has minimal protection against cross-protocol attacks.
          The <span><a href="#preface" class="xref">connection preface</a> (<a href="#preface" class="xref">Section 3.4</a>)</span> contains a string that is
          designed to confuse HTTP/1.1 servers, but no special protection is offered for other
          protocols.<a href="#section-10.2-4" class="pilcrow">¶</a></p>
</section>
<section id="section-10.3">
        <h3 id="name-intermediary-encapsulation-">
<a href="#section-10.3" class="section-number selfRef">10.3. </a><a href="#name-intermediary-encapsulation-" class="section-name selfRef">Intermediary Encapsulation Attacks</a>
        </h3>
<p id="section-10.3-1">HPACK permits encoding of field names and values that might be treated as delimiters in
          other HTTP versions.  An intermediary that translates an HTTP/2 request or response <span class="bcp14">MUST</span>
          validate fields according to the rules in <a href="#HttpHeaders" class="xref">Section 8.2</a> before
          translating a message to another HTTP version.  Translating a field that includes invalid
          delimiters could be used to cause recipients to incorrectly interpret a message, which
          could be exploited by an attacker.<a href="#section-10.3-1" class="pilcrow">¶</a></p>
<p id="section-10.3-2"><a href="#HttpHeaders" class="xref">Section 8.2</a> does not include specific rules for validation of
          pseudo-header fields.  If the values of these fields are used, additional validation is
          necessary. This is particularly important where "<code>:scheme</code>", "<code>:authority</code>", and
          "<code>:path</code>" are combined to form a single URI string <span>[<a href="#RFC3986" class="xref">RFC3986</a>]</span>. Similar problems might occur when that URI or just "<code>:path</code>" is
          combined with "<code>:method</code>" to construct a request line (as in <span><a href="https://www.rfc-editor.org/rfc/rfc9112#section-3" class="relref">Section 3</a> of [<a href="#RFC9112" class="xref">HTTP/1.1</a>]</span>). Simple concatenation is not secure unless the input values are fully
          validated.<a href="#section-10.3-2" class="pilcrow">¶</a></p>
<p id="section-10.3-3">An intermediary can reject fields that contain invalid field names or values for other
          reasons -- in particular, those fields that do not conform to the HTTP ABNF grammar from <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-5" class="relref">Section 5</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>. Intermediaries that do not perform any validation of fields
          other than the minimum required by <a href="#HttpHeaders" class="xref">Section 8.2</a> could forward messages
          that contain invalid field names or values.<a href="#section-10.3-3" class="pilcrow">¶</a></p>
<p id="section-10.3-4">An intermediary that receives any fields that require removal before forwarding
          (see <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-7.6.1" class="relref">Section 7.6.1</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>) <span class="bcp14">MUST</span> remove or replace those header fields when
          forwarding messages. Additionally, intermediaries should take care when forwarding messages
          containing <code>Content-Length</code> fields to ensure that the message is <span><a href="#malformed" class="xref">well-formed</a> (<a href="#malformed" class="xref">Section 8.1.1</a>)</span>.
          This ensures that if the message is translated into HTTP/1.1 at any point, the framing will be correct.<a href="#section-10.3-4" class="pilcrow">¶</a></p>
</section>
<section id="section-10.4">
        <h3 id="name-cacheability-of-pushed-resp">
<a href="#section-10.4" class="section-number selfRef">10.4. </a><a href="#name-cacheability-of-pushed-resp" class="section-name selfRef">Cacheability of Pushed Responses</a>
        </h3>
<p id="section-10.4-1">Pushed responses do not have an explicit request from the client; the request
          is provided by the server in the <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frame.<a href="#section-10.4-1" class="pilcrow">¶</a></p>
<p id="section-10.4-2">Caching responses that are pushed is possible based on the guidance provided by the origin
          server in the Cache-Control header field.  However, this can cause issues if a single
          server hosts more than one tenant.  For example, a server might offer multiple users each
          a small portion of its URI space.<a href="#section-10.4-2" class="pilcrow">¶</a></p>
<p id="section-10.4-3">Where multiple tenants share space on the same server, that server <span class="bcp14">MUST</span> ensure that
          tenants are not able to push representations of resources that they do not have authority
          over.  Failure to enforce this would allow a tenant to provide a representation that would
          be served out of cache, overriding the actual representation that the authoritative tenant
          provides.<a href="#section-10.4-3" class="pilcrow">¶</a></p>
<p id="section-10.4-4">Pushed responses for which an origin server is not authoritative (see
          <a href="#authority" class="xref">Section 10.1</a>) <span class="bcp14">MUST NOT</span> be used or cached.<a href="#section-10.4-4" class="pilcrow">¶</a></p>
</section>
<div id="dos">
<section id="section-10.5">
        <h3 id="name-denial-of-service-considera">
<a href="#section-10.5" class="section-number selfRef">10.5. </a><a href="#name-denial-of-service-considera" class="section-name selfRef">Denial-of-Service Considerations</a>
        </h3>
<p id="section-10.5-1">An HTTP/2 connection can demand a greater commitment of resources to operate than an
          HTTP/1.1 connection.  Both field section compression and flow control depend on a
          commitment of a greater amount of state.  Settings for these
          features ensure that memory commitments for these features are strictly bounded.<a href="#section-10.5-1" class="pilcrow">¶</a></p>
<p id="section-10.5-2">The number of <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frames is not
          constrained in the same fashion.  A client that accepts server push <span class="bcp14">SHOULD</span> limit the
          number of streams it allows to be in the "reserved (remote)" state.  An excessive number
          of server push streams can be treated as a <span><a href="#StreamErrorHandler" class="xref">stream
          error</a> (<a href="#StreamErrorHandler" class="xref">Section 5.4.2</a>)</span> of type <a href="#ENHANCE_YOUR_CALM" class="xref">ENHANCE_YOUR_CALM</a>.<a href="#section-10.5-2" class="pilcrow">¶</a></p>
<p id="section-10.5-3">A number of HTTP/2 implementations were found to be vulnerable to denial of service <span>[<a href="#NFLX-2019-002" class="xref">NFLX-2019-002</a>]</span>.  Below is a list of known ways that implementations might be
          subject to denial-of-service attacks:<a href="#section-10.5-3" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-10.5-4.1">
            <p id="section-10.5-4.1.1">Inefficient tracking of outstanding outbound frames can lead to overload if an adversary can
              cause large numbers of frames to be enqueued for sending.  A peer could use one of
              several techniques to cause large numbers of frames to be generated:<a href="#section-10.5-4.1.1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="section-10.5-4.1.2.1">Providing tiny increments to flow control in <a href="#WINDOW_UPDATE" class="xref">WINDOW_UPDATE</a> frames can cause a sender to generate a large
                number of <a href="#DATA" class="xref">DATA</a> frames.<a href="#section-10.5-4.1.2.1" class="pilcrow">¶</a>
</li>
              <li class="normal" id="section-10.5-4.1.2.2">An endpoint is required to respond to a <a href="#PING" class="xref">PING</a> frame.<a href="#section-10.5-4.1.2.2" class="pilcrow">¶</a>
</li>
              <li class="normal" id="section-10.5-4.1.2.3">Each <a href="#SETTINGS" class="xref">SETTINGS</a> frame requires
                acknowledgment.<a href="#section-10.5-4.1.2.3" class="pilcrow">¶</a>
</li>
              <li class="normal" id="section-10.5-4.1.2.4">An invalid request (or server push) can cause a peer to send <a href="#RST_STREAM" class="xref">RST_STREAM</a> frames in response.<a href="#section-10.5-4.1.2.4" class="pilcrow">¶</a>
</li>
            </ul>
</li>
          <li class="normal" id="section-10.5-4.2">An attacker can provide large amounts of flow-control credit at the HTTP/2 layer but
            withhold credit at the TCP layer, preventing frames from being sent.  An endpoint that
            constructs and remembers frames for sending without considering TCP limits might be
            subject to resource exhaustion.<a href="#section-10.5-4.2" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-10.5-4.3">Large numbers of small or empty frames can be abused to cause a peer to expend time
            processing frame headers.  Caution is required here as some uses of small frames are
            entirely legitimate, such as the sending of an empty <a href="#DATA" class="xref">DATA</a> or <a href="#CONTINUATION" class="xref">CONTINUATION</a> frame at the end of a stream.<a href="#section-10.5-4.3" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-10.5-4.4">The <a href="#SETTINGS" class="xref">SETTINGS</a> frame might also be abused to
            cause a peer to expend additional processing time.  This might be done by pointlessly
            changing settings, sending multiple undefined settings, or changing the
            same setting multiple times in the same frame.<a href="#section-10.5-4.4" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-10.5-4.5">Handling reprioritization with <a href="#PRIORITY" class="xref">PRIORITY</a>
            frames can require significant processing time and can lead to overload if many <a href="#PRIORITY" class="xref">PRIORITY</a> frames are sent.<a href="#section-10.5-4.5" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-10.5-4.6">Field section compression also provides opportunities for an attacker to waste
            processing resources; see <span><a href="https://www.rfc-editor.org/rfc/rfc7541#section-7" class="relref">Section 7</a> of [<a href="#RFC7541" class="xref">COMPRESSION</a>]</span> for more details on
            potential abuses.<a href="#section-10.5-4.6" class="pilcrow">¶</a>
</li>
          <li class="normal" id="section-10.5-4.7">Limits in <a href="#SETTINGS" class="xref">SETTINGS</a> cannot be reduced
            instantaneously, which leaves an endpoint exposed to behavior from a peer that could
            exceed the new limits. In particular, immediately after establishing a connection,
            limits set by a server are not known to clients and could be exceeded without being an
            obvious protocol violation.<a href="#section-10.5-4.7" class="pilcrow">¶</a>
</li>
        </ul>
<p id="section-10.5-5">Most of the features that might be exploited for denial of service -- such as <a href="#SETTINGS" class="xref">SETTINGS</a> changes, small frames, field section
          compression -- have legitimate uses.  These features become a burden only when they are
          used unnecessarily or to excess.<a href="#section-10.5-5" class="pilcrow">¶</a></p>
<p id="section-10.5-6">An endpoint that doesn't monitor use of these features exposes itself to a risk of
          denial of service.  Implementations <span class="bcp14">SHOULD</span> track the use of these features and set
          limits on their use.  An endpoint <span class="bcp14">MAY</span> treat activity that is suspicious as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type <a href="#ENHANCE_YOUR_CALM" class="xref">ENHANCE_YOUR_CALM</a>.<a href="#section-10.5-6" class="pilcrow">¶</a></p>
<div id="MaxFieldBlock">
<section id="section-10.5.1">
          <h4 id="name-limits-on-field-block-size">
<a href="#section-10.5.1" class="section-number selfRef">10.5.1. </a><a href="#name-limits-on-field-block-size" class="section-name selfRef">Limits on Field Block Size</a>
          </h4>
<p id="section-10.5.1-1">A large <span><a href="#FieldBlock" class="xref">field block</a> (<a href="#FieldBlock" class="xref">Section 4.3</a>)</span> can cause an implementation to
            commit a large amount of state.  Field lines that are critical for routing can appear
            toward the end of a field block, which prevents streaming of fields to their
            ultimate destination.  This ordering and other reasons, such as ensuring cache
            correctness, mean that an endpoint might need to buffer the entire field block.  Since
            there is no hard limit to the size of a field block, some endpoints could be forced to
            commit a large amount of available memory for field blocks.<a href="#section-10.5.1-1" class="pilcrow">¶</a></p>
<p id="section-10.5.1-2">An endpoint can use the <a href="#SETTINGS_MAX_HEADER_LIST_SIZE" class="xref">SETTINGS_MAX_HEADER_LIST_SIZE</a> to advise peers of
            limits that might apply on the size of uncompressed field blocks.  This setting is only advisory, so
            endpoints <span class="bcp14">MAY</span> choose to send field blocks that exceed this limit and risk the
            request or response being treated as malformed.  This setting is specific to a
            connection, so any request or response could encounter a hop with a lower, unknown
            limit.  An intermediary can attempt to avoid this problem by passing on values presented
            by different peers, but they are not obliged to do so.<a href="#section-10.5.1-2" class="pilcrow">¶</a></p>
<p id="section-10.5.1-3">A server that receives a larger field block than it is willing to handle can send an
            HTTP 431 (Request Header Fields Too Large) status code <span>[<a href="#RFC6585" class="xref">RFC6585</a>]</span>.  A
            client can discard responses that it cannot process.  The field block <span class="bcp14">MUST</span> be processed
            to ensure a consistent connection state, unless the connection is closed.<a href="#section-10.5.1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="connectDos">
<section id="section-10.5.2">
          <h4 id="name-connect-issues">
<a href="#section-10.5.2" class="section-number selfRef">10.5.2. </a><a href="#name-connect-issues" class="section-name selfRef">CONNECT Issues</a>
          </h4>
<p id="section-10.5.2-1">The CONNECT method can be used to create disproportionate load on a proxy, since stream
            creation is relatively inexpensive when compared to the creation and maintenance of a
            TCP connection.  A proxy might also maintain some resources for a TCP connection beyond
            the closing of the stream that carries the CONNECT request, since the outgoing TCP
            connection remains in the TIME_WAIT state.  Therefore, a proxy cannot rely on
            <a href="#SETTINGS_MAX_CONCURRENT_STREAMS" class="xref">SETTINGS_MAX_CONCURRENT_STREAMS</a> alone to limit the resources consumed by
            CONNECT requests.<a href="#section-10.5.2-1" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<section id="section-10.6">
        <h3 id="name-use-of-compression">
<a href="#section-10.6" class="section-number selfRef">10.6. </a><a href="#name-use-of-compression" class="section-name selfRef">Use of Compression</a>
        </h3>
<p id="section-10.6-1">Compression can allow an attacker to recover secret data when it is compressed in the same
          context as data under attacker control.  HTTP/2 enables compression of field lines
          (<a href="#FieldBlock" class="xref">Section 4.3</a>); the following concerns also apply to the use of HTTP
          compressed content-codings (<span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-8.4.1" class="relref">Section 8.4.1</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>).<a href="#section-10.6-1" class="pilcrow">¶</a></p>
<p id="section-10.6-2">There are demonstrable attacks on compression that exploit the characteristics of the Web
          (e.g., <span>[<a href="#BREACH" class="xref">BREACH</a>]</span>).  The attacker induces multiple requests containing
          varying plaintext, observing the length of the resulting ciphertext in each, which
          reveals a shorter length when a guess about the secret is correct.<a href="#section-10.6-2" class="pilcrow">¶</a></p>
<p id="section-10.6-3">Implementations communicating on a secure channel <span class="bcp14">MUST NOT</span> compress content that includes
          both confidential and attacker-controlled data unless separate compression dictionaries
          are used for each source of data.  Compression <span class="bcp14">MUST NOT</span> be used if the source of data
          cannot be reliably determined.  Generic stream compression, such as that provided by TLS,
          <span class="bcp14">MUST NOT</span> be used with HTTP/2 (see <a href="#TLSUsage" class="xref">Section 9.2</a>).<a href="#section-10.6-3" class="pilcrow">¶</a></p>
<p id="section-10.6-4">Further considerations regarding the compression of header fields are described in <span>[<a href="#RFC7541" class="xref">COMPRESSION</a>]</span>.<a href="#section-10.6-4" class="pilcrow">¶</a></p>
</section>
<div id="padding">
<section id="section-10.7">
        <h3 id="name-use-of-padding">
<a href="#section-10.7" class="section-number selfRef">10.7. </a><a href="#name-use-of-padding" class="section-name selfRef">Use of Padding</a>
        </h3>
<p id="section-10.7-1">Padding within HTTP/2 is not intended as a replacement for general purpose padding, such
          as that provided by <span><a href="#RFC8446" class="xref">TLS</a> [<a href="#RFC8446" class="xref">TLS13</a>]</span>.  Redundant padding could even be
          counterproductive.  Correct application can depend on having specific knowledge of the
          data that is being padded.<a href="#section-10.7-1" class="pilcrow">¶</a></p>
<p id="section-10.7-2">To mitigate attacks that rely on compression, disabling or limiting compression might be
          preferable to padding as a countermeasure.<a href="#section-10.7-2" class="pilcrow">¶</a></p>
<p id="section-10.7-3">Padding can be used to obscure the exact size of frame content and is provided to
          mitigate specific attacks within HTTP -- for example, attacks where compressed content
          includes both attacker-controlled plaintext and secret data (e.g., <span>[<a href="#BREACH" class="xref">BREACH</a>]</span>).<a href="#section-10.7-3" class="pilcrow">¶</a></p>
<p id="section-10.7-4">Use of padding can result in less protection than might seem immediately obvious.  At
          best, padding only makes it more difficult for an attacker to infer length information by
          increasing the number of frames an attacker has to observe.  Incorrectly implemented
          padding schemes can be easily defeated.  In particular, randomized padding with a
          predictable distribution provides very little protection; similarly, padding frame payloads to a
          fixed size exposes information as frame payload sizes cross the fixed-sized boundary, which could
          be possible if an attacker can control plaintext.<a href="#section-10.7-4" class="pilcrow">¶</a></p>
<p id="section-10.7-5">Intermediaries <span class="bcp14">SHOULD</span> retain padding for <a href="#DATA" class="xref">DATA</a> frames but <span class="bcp14">MAY</span> drop padding
          for <a href="#HEADERS" class="xref">HEADERS</a> and <a href="#PUSH_PROMISE" class="xref">PUSH_PROMISE</a> frames.  A valid reason for an
          intermediary to change the amount of padding of frames is to improve the protections that
          padding provides.<a href="#section-10.7-5" class="pilcrow">¶</a></p>
</section>
</div>
<section id="section-10.8">
        <h3 id="name-privacy-considerations">
<a href="#section-10.8" class="section-number selfRef">10.8. </a><a href="#name-privacy-considerations" class="section-name selfRef">Privacy Considerations</a>
        </h3>
<p id="section-10.8-1">Several characteristics of HTTP/2 provide an observer an opportunity to correlate actions
          of a single client or server over time.  These include the values of settings, the manner
          in which flow-control windows are managed, the way priorities are allocated to streams,
          the timing of reactions to stimulus, and the handling of any features that are controlled by
          settings.<a href="#section-10.8-1" class="pilcrow">¶</a></p>
<p id="section-10.8-2">As far as these create observable differences in behavior, they could be used as a basis
          for fingerprinting a specific client, as defined in <span><a href="https://www.rfc-editor.org/rfc/rfc6973#section-3.2" class="relref">Section 3.2</a> of [<a href="#RFC6973" class="xref">PRIVACY</a>]</span>.<a href="#section-10.8-2" class="pilcrow">¶</a></p>
<p id="section-10.8-3">HTTP/2's preference for using a single TCP connection allows correlation of a user's
          activity on a site.  Reusing connections for different origins allows tracking
          across those origins.<a href="#section-10.8-3" class="pilcrow">¶</a></p>
<p id="section-10.8-4">Because the PING and SETTINGS frames solicit immediate responses, they can be used by an
          endpoint to measure latency to their peer.  This might have privacy implications in
          certain scenarios.<a href="#section-10.8-4" class="pilcrow">¶</a></p>
</section>
<section id="section-10.9">
        <h3 id="name-remote-timing-attacks">
<a href="#section-10.9" class="section-number selfRef">10.9. </a><a href="#name-remote-timing-attacks" class="section-name selfRef">Remote Timing Attacks</a>
        </h3>
<p id="section-10.9-1">Remote timing attacks extract secrets from servers by observing variations in the time
          that servers take when processing requests that use secrets. HTTP/2 enables concurrent
          request creation and processing, which can give attackers better control over when request
          processing commences.  Multiple HTTP/2 requests can be included in the same IP packet or
          TLS record.  HTTP/2 can therefore make remote timing attacks more efficient by eliminating
          variability in request delivery, leaving only request order and the delivery of responses
          as sources of timing variability.<a href="#section-10.9-1" class="pilcrow">¶</a></p>
<p id="section-10.9-2">Ensuring that processing time is not dependent on the value of a secret is the best
          defense against any form of timing attack.<a href="#section-10.9-2" class="pilcrow">¶</a></p>
</section>
</section>
</div>
<div id="iana">
<section id="section-11">
      <h2 id="name-iana-considerations">
<a href="#section-11" class="section-number selfRef">11. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
      </h2>
<p id="section-11-1">This revision of HTTP/2 marks the <code>HTTP2-Settings</code> header field and the
        <code>h2c</code> upgrade token, both defined in <span>[<a href="#RFC7540" class="xref">RFC7540</a>]</span>, as obsolete.<a href="#section-11-1" class="pilcrow">¶</a></p>
<p id="section-11-2"><span><a href="https://www.rfc-editor.org/rfc/rfc7540#section-11" class="relref">Section 11</a> of [<a href="#RFC7540" class="xref">RFC7540</a>]</span> registered the <code>h2</code> and <code>h2c</code> ALPN
        identifiers along with the <code>PRI</code> HTTP method.  RFC 7540 also established a registry
        for frame types, settings, and error codes.  These registrations and registries apply to
        HTTP/2, but are not redefined in this document.<a href="#section-11-2" class="pilcrow">¶</a></p>
<p id="section-11-3">IANA has updated references to RFC 7540 in the
        following registries to refer to this document: "TLS
        Application-Layer Protocol Negotiation (ALPN) Protocol IDs",
        "HTTP/2 Frame Type", "HTTP/2 Settings", "HTTP/2 Error Code",
        and "HTTP Method Registry".  The registration of the
        <code>PRI</code> method has been updated to refer to <a href="#preface" class="xref">Section 3.4</a>; all other section numbers have not
        changed.<a href="#section-11-3" class="pilcrow">¶</a></p>
<p id="section-11-4">IANA has changed the policy on those portions of the "HTTP/2
        Frame Type" and "HTTP/2 Settings" registries that were
        reserved for Experimental Use in RFC 7540. These portions of
        the registries shall operate on the same policy as the
        remainder of each registry.<a href="#section-11-4" class="pilcrow">¶</a></p>
<div id="HTTP2-Settings">
<section id="section-11.1">
        <h3 id="name-http2-settings-header-field">
<a href="#section-11.1" class="section-number selfRef">11.1. </a><a href="#name-http2-settings-header-field" class="section-name selfRef">HTTP2-Settings Header Field Registration</a>
        </h3>
<p id="section-11.1-1">This section marks the <code>HTTP2-Settings</code> header field registered by <span><a href="https://www.rfc-editor.org/rfc/rfc7540#section-11.5" class="relref">Section 11.5</a> of [<a href="#RFC7540" class="xref">RFC7540</a>]</span> in the "Hypertext Transfer Protocol (HTTP) Field Name
          Registry" as obsolete.  This capability has been removed: see <a href="#versioning" class="xref">Section 3.1</a>.
          The registration is updated to include the details as required by <span><a href="https://www.rfc-editor.org/rfc/rfc9110#section-18.4" class="relref">Section 18.4</a> of [<a href="#RFC9110" class="xref">HTTP</a>]</span>:<a href="#section-11.1-1" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-11.1-2">
          <dt id="section-11.1-2.1">Field Name:</dt>
          <dd style="margin-left: 1.5em" id="section-11.1-2.2">HTTP2-Settings<a href="#section-11.1-2.2" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-11.1-2.3">Status:</dt>
          <dd style="margin-left: 1.5em" id="section-11.1-2.4">obsoleted<a href="#section-11.1-2.4" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-11.1-2.5">Reference:</dt>
          <dd style="margin-left: 1.5em" id="section-11.1-2.6">
            <span><a href="https://www.rfc-editor.org/rfc/rfc7540#section-3.2.1" class="relref">Section 3.2.1</a> of [<a href="#RFC7540" class="xref">RFC7540</a>]</span><a href="#section-11.1-2.6" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-11.1-2.7">Comments:</dt>
          <dd style="margin-left: 1.5em" id="section-11.1-2.8">Obsolete; see <a href="#HTTP2-Settings" class="xref">Section 11.1</a> of this document.<a href="#section-11.1-2.8" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
</dl>
</section>
</div>
<div id="iana-h2c">
<section id="section-11.2">
        <h3 id="name-the-h2c-upgrade-token">
<a href="#section-11.2" class="section-number selfRef">11.2. </a><a href="#name-the-h2c-upgrade-token" class="section-name selfRef">The h2c Upgrade Token</a>
        </h3>
<p id="section-11.2-1">This section records the <code>h2c</code> upgrade token registered by <span><a href="https://www.rfc-editor.org/rfc/rfc7540#section-11.8" class="relref">Section 11.8</a> of [<a href="#RFC7540" class="xref">RFC7540</a>]</span> in the "Hypertext Transfer Protocol (HTTP) Upgrade Token Registry" as
          obsolete.  This capability has been removed: see <a href="#versioning" class="xref">Section 3.1</a>.  The
          registration is updated as follows:<a href="#section-11.2-1" class="pilcrow">¶</a></p>
<span class="break"></span><dl class="dlParallel" id="section-11.2-2">
          <dt id="section-11.2-2.1">Value:</dt>
          <dd style="margin-left: 1.5em" id="section-11.2-2.2">h2c<a href="#section-11.2-2.2" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-11.2-2.3">Description:</dt>
          <dd style="margin-left: 1.5em" id="section-11.2-2.4">(OBSOLETE) Hypertext Transfer Protocol version 2 (HTTP/2)<a href="#section-11.2-2.4" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-11.2-2.5">Expected Version Tokens:</dt>
          <dd style="margin-left: 1.5em" id="section-11.2-2.6">None<a href="#section-11.2-2.6" class="pilcrow">¶</a>
</dd>
          <dd class="break"></dd>
<dt id="section-11.2-2.7">Reference:</dt>
          <dd style="margin-left: 1.5em" id="section-11.2-2.8">
            <a href="#versioning" class="xref">Section 3.1</a> of this document<a href="#section-11.2-2.8" class="pilcrow">¶</a>
</dd>
        <dd class="break"></dd>
</dl>
</section>
</div>
</section>
</div>
<section id="section-12">
      <h2 id="name-references">
<a href="#section-12" class="section-number selfRef">12. </a><a href="#name-references" class="section-name selfRef">References</a>
      </h2>
<section id="section-12.1">
        <h3 id="name-normative-references">
<a href="#section-12.1" class="section-number selfRef">12.1. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
        </h3>
<dl class="references">
<dt id="RFC9111">[CACHING]</dt>
        <dd>
<span class="refAuthor">Fielding, R., Ed.</span>, <span class="refAuthor">Nottingham, M., Ed.</span>, and <span class="refAuthor">J. Reschke, Ed.</span>, <span class="refTitle">"HTTP Caching"</span>, <span class="seriesInfo">STD 98</span>, <span class="seriesInfo">RFC 9111</span>, <span class="seriesInfo">DOI 10.17487/RFC9111</span>, <time datetime="2022-06" class="refDate">June 2022</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc9111">https://www.rfc-editor.org/info/rfc9111</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC7541">[COMPRESSION]</dt>
        <dd>
<span class="refAuthor">Peon, R.</span> and <span class="refAuthor">H. Ruellan</span>, <span class="refTitle">"HPACK: Header Compression for HTTP/2"</span>, <span class="seriesInfo">RFC 7541</span>, <span class="seriesInfo">DOI 10.17487/RFC7541</span>, <time datetime="2015-05" class="refDate">May 2015</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc7541">https://www.rfc-editor.org/info/rfc7541</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC6265">[COOKIE]</dt>
        <dd>
<span class="refAuthor">Barth, A.</span>, <span class="refTitle">"HTTP State Management Mechanism"</span>, <span class="seriesInfo">RFC 6265</span>, <span class="seriesInfo">DOI 10.17487/RFC6265</span>, <time datetime="2011-04" class="refDate">April 2011</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc6265">https://www.rfc-editor.org/info/rfc6265</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC9110">[HTTP]</dt>
        <dd>
<span class="refAuthor">Fielding, R., Ed.</span>, <span class="refAuthor">Nottingham, M., Ed.</span>, and <span class="refAuthor">J. Reschke, Ed.</span>, <span class="refTitle">"HTTP Semantics"</span>, <span class="seriesInfo">STD 97</span>, <span class="seriesInfo">RFC 9110</span>, <span class="seriesInfo">DOI 10.17487/RFC9110</span>, <time datetime="2022-06" class="refDate">June 2022</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc9110">https://www.rfc-editor.org/info/rfc9110</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC9000">[QUIC]</dt>
        <dd>
<span class="refAuthor">Iyengar, J., Ed.</span> and <span class="refAuthor">M. Thomson, Ed.</span>, <span class="refTitle">"QUIC: A UDP-Based Multiplexed and Secure Transport"</span>, <span class="seriesInfo">RFC 9000</span>, <span class="seriesInfo">DOI 10.17487/RFC9000</span>, <time datetime="2021-05" class="refDate">May 2021</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc9000">https://www.rfc-editor.org/info/rfc9000</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC2119">[RFC2119]</dt>
        <dd>
<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC3986">[RFC3986]</dt>
        <dd>
<span class="refAuthor">Berners-Lee, T.</span>, <span class="refAuthor">Fielding, R.</span>, and <span class="refAuthor">L. Masinter</span>, <span class="refTitle">"Uniform Resource Identifier (URI): Generic Syntax"</span>, <span class="seriesInfo">STD 66</span>, <span class="seriesInfo">RFC 3986</span>, <span class="seriesInfo">DOI 10.17487/RFC3986</span>, <time datetime="2005-01" class="refDate">January 2005</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc3986">https://www.rfc-editor.org/info/rfc3986</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8174">[RFC8174]</dt>
        <dd>
<span class="refAuthor">Leiba, B.</span>, <span class="refTitle">"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 8174</span>, <span class="seriesInfo">DOI 10.17487/RFC8174</span>, <time datetime="2017-05" class="refDate">May 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8174">https://www.rfc-editor.org/info/rfc8174</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8422">[RFC8422]</dt>
        <dd>
<span class="refAuthor">Nir, Y.</span>, <span class="refAuthor">Josefsson, S.</span>, and <span class="refAuthor">M. Pegourie-Gonnard</span>, <span class="refTitle">"Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier"</span>, <span class="seriesInfo">RFC 8422</span>, <span class="seriesInfo">DOI 10.17487/RFC8422</span>, <time datetime="2018-08" class="refDate">August 2018</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8422">https://www.rfc-editor.org/info/rfc8422</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8470">[RFC8470]</dt>
        <dd>
<span class="refAuthor">Thomson, M.</span>, <span class="refAuthor">Nottingham, M.</span>, and <span class="refAuthor">W. Tarreau</span>, <span class="refTitle">"Using Early Data in HTTP"</span>, <span class="seriesInfo">RFC 8470</span>, <span class="seriesInfo">DOI 10.17487/RFC8470</span>, <time datetime="2018-09" class="refDate">September 2018</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8470">https://www.rfc-editor.org/info/rfc8470</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC0793">[TCP]</dt>
        <dd>
<span class="refAuthor">Postel, J.</span>, <span class="refTitle">"Transmission Control Protocol"</span>, <span class="seriesInfo">STD 7</span>, <span class="seriesInfo">RFC 793</span>, <span class="seriesInfo">DOI 10.17487/RFC0793</span>, <time datetime="1981-09" class="refDate">September 1981</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc793">https://www.rfc-editor.org/info/rfc793</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC7301">[TLS-ALPN]</dt>
        <dd>
<span class="refAuthor">Friedl, S.</span>, <span class="refAuthor">Popov, A.</span>, <span class="refAuthor">Langley, A.</span>, and <span class="refAuthor">E. Stephan</span>, <span class="refTitle">"Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension"</span>, <span class="seriesInfo">RFC 7301</span>, <span class="seriesInfo">DOI 10.17487/RFC7301</span>, <time datetime="2014-07" class="refDate">July 2014</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc7301">https://www.rfc-editor.org/info/rfc7301</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC5289">[TLS-ECDHE]</dt>
        <dd>
<span class="refAuthor">Rescorla, E.</span>, <span class="refTitle">"TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)"</span>, <span class="seriesInfo">RFC 5289</span>, <span class="seriesInfo">DOI 10.17487/RFC5289</span>, <time datetime="2008-08" class="refDate">August 2008</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc5289">https://www.rfc-editor.org/info/rfc5289</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC6066">[TLS-EXT]</dt>
        <dd>
<span class="refAuthor">Eastlake 3rd, D.</span>, <span class="refTitle">"Transport Layer Security (TLS) Extensions: Extension Definitions"</span>, <span class="seriesInfo">RFC 6066</span>, <span class="seriesInfo">DOI 10.17487/RFC6066</span>, <time datetime="2011-01" class="refDate">January 2011</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc6066">https://www.rfc-editor.org/info/rfc6066</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC5246">[TLS12]</dt>
        <dd>
<span class="refAuthor">Dierks, T.</span> and <span class="refAuthor">E. Rescorla</span>, <span class="refTitle">"The Transport Layer Security (TLS) Protocol Version 1.2"</span>, <span class="seriesInfo">RFC 5246</span>, <span class="seriesInfo">DOI 10.17487/RFC5246</span>, <time datetime="2008-08" class="refDate">August 2008</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc5246">https://www.rfc-editor.org/info/rfc5246</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8446">[TLS13]</dt>
        <dd>
<span class="refAuthor">Rescorla, E.</span>, <span class="refTitle">"The Transport Layer Security (TLS) Protocol Version 1.3"</span>, <span class="seriesInfo">RFC 8446</span>, <span class="seriesInfo">DOI 10.17487/RFC8446</span>, <time datetime="2018-08" class="refDate">August 2018</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8446">https://www.rfc-editor.org/info/rfc8446</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC7525">[TLSBCP]</dt>
      <dd>
<span class="refAuthor">Sheffer, Y.</span>, <span class="refAuthor">Holz, R.</span>, and <span class="refAuthor">P. Saint-Andre</span>, <span class="refTitle">"Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)"</span>, <span class="seriesInfo">BCP 195</span>, <span class="seriesInfo">RFC 7525</span>, <span class="seriesInfo">DOI 10.17487/RFC7525</span>, <time datetime="2015-05" class="refDate">May 2015</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc7525">https://www.rfc-editor.org/info/rfc7525</a>&gt;</span>. </dd>
<dd class="break"></dd>
</dl>
</section>
<section id="section-12.2">
        <h3 id="name-informative-references">
<a href="#section-12.2" class="section-number selfRef">12.2. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
        </h3>
<dl class="references">
<dt id="RFC7838">[ALT-SVC]</dt>
        <dd>
<span class="refAuthor">Nottingham, M.</span>, <span class="refAuthor">McManus, P.</span>, and <span class="refAuthor">J. Reschke</span>, <span class="refTitle">"HTTP Alternative Services"</span>, <span class="seriesInfo">RFC 7838</span>, <span class="seriesInfo">DOI 10.17487/RFC7838</span>, <time datetime="2016-04" class="refDate">April 2016</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc7838">https://www.rfc-editor.org/info/rfc7838</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="BREACH">[BREACH]</dt>
        <dd>
<span class="refAuthor">Gluck, Y.</span>, <span class="refAuthor">Harris, N.</span>, and <span class="refAuthor">A. Prado</span>, <span class="refTitle">"BREACH: Reviving the CRIME Attack"</span>, <time datetime="2013-07-12" class="refDate">12 July 2013</time>, <span>&lt;<a href="https://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf">https://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8499">[DNS-TERMS]</dt>
        <dd>
<span class="refAuthor">Hoffman, P.</span>, <span class="refAuthor">Sullivan, A.</span>, and <span class="refAuthor">K. Fujiwara</span>, <span class="refTitle">"DNS Terminology"</span>, <span class="seriesInfo">BCP 219</span>, <span class="seriesInfo">RFC 8499</span>, <span class="seriesInfo">DOI 10.17487/RFC8499</span>, <time datetime="2019-01" class="refDate">January 2019</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8499">https://www.rfc-editor.org/info/rfc8499</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC9218">[HTTP-PRIORITY]</dt>
        <dd>
<span class="refAuthor">Oku, K.</span> and <span class="refAuthor">L. Pardue</span>, <span class="refTitle">"Extensible Prioritization Scheme for HTTP"</span>, <span class="seriesInfo">RFC 9218</span>, <span class="seriesInfo">DOI 10.17487/RFC9218</span>, <time datetime="2022-06" class="refDate">June 2022</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc9218">https://www.rfc-editor.org/info/rfc9218</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC9112">[HTTP/1.1]</dt>
        <dd>
<span class="refAuthor">Fielding, R., Ed.</span>, <span class="refAuthor">Nottingham, M., Ed.</span>, and <span class="refAuthor">J. Reschke, Ed.</span>, <span class="refTitle">"HTTP/1.1"</span>, <span class="seriesInfo">STD 99</span>, <span class="seriesInfo">RFC 9112</span>, <span class="seriesInfo">DOI 10.17487/RFC9112</span>, <time datetime="2022-06" class="refDate">June 2022</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc9112">https://www.rfc-editor.org/info/rfc9112</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="NFLX-2019-002">[NFLX-2019-002]</dt>
        <dd>
<span class="refAuthor">Netflix</span>, <span class="refTitle">"HTTP/2 Denial of Service Advisory"</span>, <time datetime="2019-08-13" class="refDate">13 August 2019</time>, <span>&lt;<a href="https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md">https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC6973">[PRIVACY]</dt>
        <dd>
<span class="refAuthor">Cooper, A.</span>, <span class="refAuthor">Tschofenig, H.</span>, <span class="refAuthor">Aboba, B.</span>, <span class="refAuthor">Peterson, J.</span>, <span class="refAuthor">Morris, J.</span>, <span class="refAuthor">Hansen, M.</span>, and <span class="refAuthor">R. Smith</span>, <span class="refTitle">"Privacy Considerations for Internet Protocols"</span>, <span class="seriesInfo">RFC 6973</span>, <span class="seriesInfo">DOI 10.17487/RFC6973</span>, <time datetime="2013-07" class="refDate">July 2013</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc6973">https://www.rfc-editor.org/info/rfc6973</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC1122">[RFC1122]</dt>
        <dd>
<span class="refAuthor">Braden, R., Ed.</span>, <span class="refTitle">"Requirements for Internet Hosts - Communication Layers"</span>, <span class="seriesInfo">STD 3</span>, <span class="seriesInfo">RFC 1122</span>, <span class="seriesInfo">DOI 10.17487/RFC1122</span>, <time datetime="1989-10" class="refDate">October 1989</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc1122">https://www.rfc-editor.org/info/rfc1122</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC3749">[RFC3749]</dt>
        <dd>
<span class="refAuthor">Hollenbeck, S.</span>, <span class="refTitle">"Transport Layer Security Protocol Compression Methods"</span>, <span class="seriesInfo">RFC 3749</span>, <span class="seriesInfo">DOI 10.17487/RFC3749</span>, <time datetime="2004-05" class="refDate">May 2004</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc3749">https://www.rfc-editor.org/info/rfc3749</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC6125">[RFC6125]</dt>
        <dd>
<span class="refAuthor">Saint-Andre, P.</span> and <span class="refAuthor">J. Hodges</span>, <span class="refTitle">"Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)"</span>, <span class="seriesInfo">RFC 6125</span>, <span class="seriesInfo">DOI 10.17487/RFC6125</span>, <time datetime="2011-03" class="refDate">March 2011</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc6125">https://www.rfc-editor.org/info/rfc6125</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC6585">[RFC6585]</dt>
        <dd>
<span class="refAuthor">Nottingham, M.</span> and <span class="refAuthor">R. Fielding</span>, <span class="refTitle">"Additional HTTP Status Codes"</span>, <span class="seriesInfo">RFC 6585</span>, <span class="seriesInfo">DOI 10.17487/RFC6585</span>, <time datetime="2012-04" class="refDate">April 2012</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc6585">https://www.rfc-editor.org/info/rfc6585</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC7323">[RFC7323]</dt>
        <dd>
<span class="refAuthor">Borman, D.</span>, <span class="refAuthor">Braden, B.</span>, <span class="refAuthor">Jacobson, V.</span>, and <span class="refAuthor">R. Scheffenegger, Ed.</span>, <span class="refTitle">"TCP Extensions for High Performance"</span>, <span class="seriesInfo">RFC 7323</span>, <span class="seriesInfo">DOI 10.17487/RFC7323</span>, <time datetime="2014-09" class="refDate">September 2014</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc7323">https://www.rfc-editor.org/info/rfc7323</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC7540">[RFC7540]</dt>
        <dd>
<span class="refAuthor">Belshe, M.</span>, <span class="refAuthor">Peon, R.</span>, and <span class="refAuthor">M. Thomson, Ed.</span>, <span class="refTitle">"Hypertext Transfer Protocol Version 2 (HTTP/2)"</span>, <span class="seriesInfo">RFC 7540</span>, <span class="seriesInfo">DOI 10.17487/RFC7540</span>, <time datetime="2015-05" class="refDate">May 2015</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc7540">https://www.rfc-editor.org/info/rfc7540</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8441">[RFC8441]</dt>
        <dd>
<span class="refAuthor">McManus, P.</span>, <span class="refTitle">"Bootstrapping WebSockets with HTTP/2"</span>, <span class="seriesInfo">RFC 8441</span>, <span class="seriesInfo">DOI 10.17487/RFC8441</span>, <time datetime="2018-09" class="refDate">September 2018</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8441">https://www.rfc-editor.org/info/rfc8441</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8740">[RFC8740]</dt>
        <dd>
<span class="refAuthor">Benjamin, D.</span>, <span class="refTitle">"Using TLS 1.3 with HTTP/2"</span>, <span class="seriesInfo">RFC 8740</span>, <span class="seriesInfo">DOI 10.17487/RFC8740</span>, <time datetime="2020-02" class="refDate">February 2020</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8740">https://www.rfc-editor.org/info/rfc8740</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="TALKING">[TALKING]</dt>
      <dd>
<span class="refAuthor">Huang, L.</span>, <span class="refAuthor">Chen, E.</span>, <span class="refAuthor">Barth, A.</span>, <span class="refAuthor">Rescorla, E.</span>, and <span class="refAuthor">C. Jackson</span>, <span class="refTitle">"Talking to Yourself for Fun and Profit"</span>, <time datetime="2011" class="refDate">2011</time>, <span>&lt;<a href="https://www.adambarth.com/papers/2011/huang-chen-barth-rescorla-jackson.pdf">https://www.adambarth.com/papers/2011/huang-chen-barth-rescorla-jackson.pdf</a>&gt;</span>. </dd>
<dd class="break"></dd>
</dl>
</section>
</section>
<div id="BadCipherSuites">
<section id="appendix-A">
      <h2 id="name-prohibited-tls-12-cipher-su">
<a href="#appendix-A" class="section-number selfRef">Appendix A. </a><a href="#name-prohibited-tls-12-cipher-su" class="section-name selfRef">Prohibited TLS 1.2 Cipher Suites</a>
      </h2>
<p id="appendix-A-1">An HTTP/2 implementation <span class="bcp14">MAY</span> treat the negotiation of any of the following cipher suites
        with TLS 1.2 as a <span><a href="#ConnectionErrorHandler" class="xref">connection error</a> (<a href="#ConnectionErrorHandler" class="xref">Section 5.4.1</a>)</span> of type
        <a href="#INADEQUATE_SECURITY" class="xref">INADEQUATE_SECURITY</a>:<a href="#appendix-A-1" class="pilcrow">¶</a></p>
<ul class="compact">
<li class="compact" id="appendix-A-2.1">TLS_NULL_WITH_NULL_NULL<a href="#appendix-A-2.1" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.2">TLS_RSA_WITH_NULL_MD5<a href="#appendix-A-2.2" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.3">TLS_RSA_WITH_NULL_SHA<a href="#appendix-A-2.3" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.4">TLS_RSA_EXPORT_WITH_RC4_40_MD5<a href="#appendix-A-2.4" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.5">TLS_RSA_WITH_RC4_128_MD5<a href="#appendix-A-2.5" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.6">TLS_RSA_WITH_RC4_128_SHA<a href="#appendix-A-2.6" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.7">TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5<a href="#appendix-A-2.7" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.8">TLS_RSA_WITH_IDEA_CBC_SHA<a href="#appendix-A-2.8" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.9">TLS_RSA_EXPORT_WITH_DES40_CBC_SHA<a href="#appendix-A-2.9" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.10">TLS_RSA_WITH_DES_CBC_SHA<a href="#appendix-A-2.10" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.11">TLS_RSA_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.11" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.12">TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA<a href="#appendix-A-2.12" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.13">TLS_DH_DSS_WITH_DES_CBC_SHA<a href="#appendix-A-2.13" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.14">TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.14" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.15">TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA<a href="#appendix-A-2.15" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.16">TLS_DH_RSA_WITH_DES_CBC_SHA<a href="#appendix-A-2.16" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.17">TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.17" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.18">TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA<a href="#appendix-A-2.18" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.19">TLS_DHE_DSS_WITH_DES_CBC_SHA<a href="#appendix-A-2.19" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.20">TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.20" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.21">TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA<a href="#appendix-A-2.21" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.22">TLS_DHE_RSA_WITH_DES_CBC_SHA<a href="#appendix-A-2.22" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.23">TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.23" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.24">TLS_DH_anon_EXPORT_WITH_RC4_40_MD5<a href="#appendix-A-2.24" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.25">TLS_DH_anon_WITH_RC4_128_MD5<a href="#appendix-A-2.25" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.26">TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA<a href="#appendix-A-2.26" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.27">TLS_DH_anon_WITH_DES_CBC_SHA<a href="#appendix-A-2.27" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.28">TLS_DH_anon_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.28" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.29">TLS_KRB5_WITH_DES_CBC_SHA<a href="#appendix-A-2.29" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.30">TLS_KRB5_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.30" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.31">TLS_KRB5_WITH_RC4_128_SHA<a href="#appendix-A-2.31" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.32">TLS_KRB5_WITH_IDEA_CBC_SHA<a href="#appendix-A-2.32" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.33">TLS_KRB5_WITH_DES_CBC_MD5<a href="#appendix-A-2.33" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.34">TLS_KRB5_WITH_3DES_EDE_CBC_MD5<a href="#appendix-A-2.34" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.35">TLS_KRB5_WITH_RC4_128_MD5<a href="#appendix-A-2.35" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.36">TLS_KRB5_WITH_IDEA_CBC_MD5<a href="#appendix-A-2.36" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.37">TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA<a href="#appendix-A-2.37" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.38">TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA<a href="#appendix-A-2.38" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.39">TLS_KRB5_EXPORT_WITH_RC4_40_SHA<a href="#appendix-A-2.39" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.40">TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5<a href="#appendix-A-2.40" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.41">TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5<a href="#appendix-A-2.41" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.42">TLS_KRB5_EXPORT_WITH_RC4_40_MD5<a href="#appendix-A-2.42" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.43">TLS_PSK_WITH_NULL_SHA<a href="#appendix-A-2.43" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.44">TLS_DHE_PSK_WITH_NULL_SHA<a href="#appendix-A-2.44" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.45">TLS_RSA_PSK_WITH_NULL_SHA<a href="#appendix-A-2.45" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.46">TLS_RSA_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.46" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.47">TLS_DH_DSS_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.47" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.48">TLS_DH_RSA_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.48" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.49">TLS_DHE_DSS_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.49" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.50">TLS_DHE_RSA_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.50" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.51">TLS_DH_anon_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.51" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.52">TLS_RSA_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.52" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.53">TLS_DH_DSS_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.53" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.54">TLS_DH_RSA_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.54" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.55">TLS_DHE_DSS_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.55" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.56">TLS_DHE_RSA_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.56" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.57">TLS_DH_anon_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.57" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.58">TLS_RSA_WITH_NULL_SHA256<a href="#appendix-A-2.58" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.59">TLS_RSA_WITH_AES_128_CBC_SHA256<a href="#appendix-A-2.59" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.60">TLS_RSA_WITH_AES_256_CBC_SHA256<a href="#appendix-A-2.60" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.61">TLS_DH_DSS_WITH_AES_128_CBC_SHA256<a href="#appendix-A-2.61" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.62">TLS_DH_RSA_WITH_AES_128_CBC_SHA256<a href="#appendix-A-2.62" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.63">TLS_DHE_DSS_WITH_AES_128_CBC_SHA256<a href="#appendix-A-2.63" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.64">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA<a href="#appendix-A-2.64" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.65">TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA<a href="#appendix-A-2.65" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.66">TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA<a href="#appendix-A-2.66" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.67">TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA<a href="#appendix-A-2.67" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.68">TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA<a href="#appendix-A-2.68" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.69">TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA<a href="#appendix-A-2.69" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.70">TLS_DHE_RSA_WITH_AES_128_CBC_SHA256<a href="#appendix-A-2.70" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.71">TLS_DH_DSS_WITH_AES_256_CBC_SHA256<a href="#appendix-A-2.71" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.72">TLS_DH_RSA_WITH_AES_256_CBC_SHA256<a href="#appendix-A-2.72" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.73">TLS_DHE_DSS_WITH_AES_256_CBC_SHA256<a href="#appendix-A-2.73" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.74">TLS_DHE_RSA_WITH_AES_256_CBC_SHA256<a href="#appendix-A-2.74" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.75">TLS_DH_anon_WITH_AES_128_CBC_SHA256<a href="#appendix-A-2.75" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.76">TLS_DH_anon_WITH_AES_256_CBC_SHA256<a href="#appendix-A-2.76" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.77">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA<a href="#appendix-A-2.77" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.78">TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA<a href="#appendix-A-2.78" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.79">TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA<a href="#appendix-A-2.79" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.80">TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA<a href="#appendix-A-2.80" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.81">TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA<a href="#appendix-A-2.81" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.82">TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA<a href="#appendix-A-2.82" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.83">TLS_PSK_WITH_RC4_128_SHA<a href="#appendix-A-2.83" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.84">TLS_PSK_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.84" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.85">TLS_PSK_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.85" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.86">TLS_PSK_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.86" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.87">TLS_DHE_PSK_WITH_RC4_128_SHA<a href="#appendix-A-2.87" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.88">TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.88" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.89">TLS_DHE_PSK_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.89" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.90">TLS_DHE_PSK_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.90" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.91">TLS_RSA_PSK_WITH_RC4_128_SHA<a href="#appendix-A-2.91" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.92">TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.92" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.93">TLS_RSA_PSK_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.93" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.94">TLS_RSA_PSK_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.94" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.95">TLS_RSA_WITH_SEED_CBC_SHA<a href="#appendix-A-2.95" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.96">TLS_DH_DSS_WITH_SEED_CBC_SHA<a href="#appendix-A-2.96" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.97">TLS_DH_RSA_WITH_SEED_CBC_SHA<a href="#appendix-A-2.97" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.98">TLS_DHE_DSS_WITH_SEED_CBC_SHA<a href="#appendix-A-2.98" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.99">TLS_DHE_RSA_WITH_SEED_CBC_SHA<a href="#appendix-A-2.99" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.100">TLS_DH_anon_WITH_SEED_CBC_SHA<a href="#appendix-A-2.100" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.101">TLS_RSA_WITH_AES_128_GCM_SHA256<a href="#appendix-A-2.101" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.102">TLS_RSA_WITH_AES_256_GCM_SHA384<a href="#appendix-A-2.102" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.103">TLS_DH_RSA_WITH_AES_128_GCM_SHA256<a href="#appendix-A-2.103" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.104">TLS_DH_RSA_WITH_AES_256_GCM_SHA384<a href="#appendix-A-2.104" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.105">TLS_DH_DSS_WITH_AES_128_GCM_SHA256<a href="#appendix-A-2.105" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.106">TLS_DH_DSS_WITH_AES_256_GCM_SHA384<a href="#appendix-A-2.106" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.107">TLS_DH_anon_WITH_AES_128_GCM_SHA256<a href="#appendix-A-2.107" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.108">TLS_DH_anon_WITH_AES_256_GCM_SHA384<a href="#appendix-A-2.108" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.109">TLS_PSK_WITH_AES_128_GCM_SHA256<a href="#appendix-A-2.109" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.110">TLS_PSK_WITH_AES_256_GCM_SHA384<a href="#appendix-A-2.110" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.111">TLS_RSA_PSK_WITH_AES_128_GCM_SHA256<a href="#appendix-A-2.111" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.112">TLS_RSA_PSK_WITH_AES_256_GCM_SHA384<a href="#appendix-A-2.112" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.113">TLS_PSK_WITH_AES_128_CBC_SHA256<a href="#appendix-A-2.113" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.114">TLS_PSK_WITH_AES_256_CBC_SHA384<a href="#appendix-A-2.114" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.115">TLS_PSK_WITH_NULL_SHA256<a href="#appendix-A-2.115" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.116">TLS_PSK_WITH_NULL_SHA384<a href="#appendix-A-2.116" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.117">TLS_DHE_PSK_WITH_AES_128_CBC_SHA256<a href="#appendix-A-2.117" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.118">TLS_DHE_PSK_WITH_AES_256_CBC_SHA384<a href="#appendix-A-2.118" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.119">TLS_DHE_PSK_WITH_NULL_SHA256<a href="#appendix-A-2.119" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.120">TLS_DHE_PSK_WITH_NULL_SHA384<a href="#appendix-A-2.120" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.121">TLS_RSA_PSK_WITH_AES_128_CBC_SHA256<a href="#appendix-A-2.121" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.122">TLS_RSA_PSK_WITH_AES_256_CBC_SHA384<a href="#appendix-A-2.122" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.123">TLS_RSA_PSK_WITH_NULL_SHA256<a href="#appendix-A-2.123" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.124">TLS_RSA_PSK_WITH_NULL_SHA384<a href="#appendix-A-2.124" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.125">TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256<a href="#appendix-A-2.125" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.126">TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256<a href="#appendix-A-2.126" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.127">TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256<a href="#appendix-A-2.127" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.128">TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256<a href="#appendix-A-2.128" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.129">TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256<a href="#appendix-A-2.129" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.130">TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256<a href="#appendix-A-2.130" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.131">TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256<a href="#appendix-A-2.131" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.132">TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256<a href="#appendix-A-2.132" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.133">TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256<a href="#appendix-A-2.133" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.134">TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256<a href="#appendix-A-2.134" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.135">TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256<a href="#appendix-A-2.135" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.136">TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256<a href="#appendix-A-2.136" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.137">TLS_EMPTY_RENEGOTIATION_INFO_SCSV<a href="#appendix-A-2.137" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.138">TLS_ECDH_ECDSA_WITH_NULL_SHA<a href="#appendix-A-2.138" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.139">TLS_ECDH_ECDSA_WITH_RC4_128_SHA<a href="#appendix-A-2.139" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.140">TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.140" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.141">TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.141" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.142">TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.142" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.143">TLS_ECDHE_ECDSA_WITH_NULL_SHA<a href="#appendix-A-2.143" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.144">TLS_ECDHE_ECDSA_WITH_RC4_128_SHA<a href="#appendix-A-2.144" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.145">TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.145" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.146">TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.146" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.147">TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.147" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.148">TLS_ECDH_RSA_WITH_NULL_SHA<a href="#appendix-A-2.148" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.149">TLS_ECDH_RSA_WITH_RC4_128_SHA<a href="#appendix-A-2.149" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.150">TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.150" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.151">TLS_ECDH_RSA_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.151" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.152">TLS_ECDH_RSA_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.152" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.153">TLS_ECDHE_RSA_WITH_NULL_SHA<a href="#appendix-A-2.153" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.154">TLS_ECDHE_RSA_WITH_RC4_128_SHA<a href="#appendix-A-2.154" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.155">TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.155" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.156">TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.156" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.157">TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.157" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.158">TLS_ECDH_anon_WITH_NULL_SHA<a href="#appendix-A-2.158" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.159">TLS_ECDH_anon_WITH_RC4_128_SHA<a href="#appendix-A-2.159" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.160">TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.160" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.161">TLS_ECDH_anon_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.161" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.162">TLS_ECDH_anon_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.162" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.163">TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.163" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.164">TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.164" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.165">TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.165" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.166">TLS_SRP_SHA_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.166" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.167">TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.167" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.168">TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.168" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.169">TLS_SRP_SHA_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.169" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.170">TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.170" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.171">TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.171" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.172">TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256<a href="#appendix-A-2.172" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.173">TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384<a href="#appendix-A-2.173" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.174">TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256<a href="#appendix-A-2.174" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.175">TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384<a href="#appendix-A-2.175" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.176">TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256<a href="#appendix-A-2.176" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.177">TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384<a href="#appendix-A-2.177" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.178">TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256<a href="#appendix-A-2.178" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.179">TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384<a href="#appendix-A-2.179" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.180">TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256<a href="#appendix-A-2.180" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.181">TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384<a href="#appendix-A-2.181" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.182">TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256<a href="#appendix-A-2.182" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.183">TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384<a href="#appendix-A-2.183" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.184">TLS_ECDHE_PSK_WITH_RC4_128_SHA<a href="#appendix-A-2.184" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.185">TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA<a href="#appendix-A-2.185" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.186">TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA<a href="#appendix-A-2.186" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.187">TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA<a href="#appendix-A-2.187" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.188">TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256<a href="#appendix-A-2.188" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.189">TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384<a href="#appendix-A-2.189" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.190">TLS_ECDHE_PSK_WITH_NULL_SHA<a href="#appendix-A-2.190" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.191">TLS_ECDHE_PSK_WITH_NULL_SHA256<a href="#appendix-A-2.191" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.192">TLS_ECDHE_PSK_WITH_NULL_SHA384<a href="#appendix-A-2.192" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.193">TLS_RSA_WITH_ARIA_128_CBC_SHA256<a href="#appendix-A-2.193" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.194">TLS_RSA_WITH_ARIA_256_CBC_SHA384<a href="#appendix-A-2.194" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.195">TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256<a href="#appendix-A-2.195" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.196">TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384<a href="#appendix-A-2.196" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.197">TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256<a href="#appendix-A-2.197" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.198">TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384<a href="#appendix-A-2.198" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.199">TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256<a href="#appendix-A-2.199" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.200">TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384<a href="#appendix-A-2.200" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.201">TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256<a href="#appendix-A-2.201" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.202">TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384<a href="#appendix-A-2.202" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.203">TLS_DH_anon_WITH_ARIA_128_CBC_SHA256<a href="#appendix-A-2.203" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.204">TLS_DH_anon_WITH_ARIA_256_CBC_SHA384<a href="#appendix-A-2.204" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.205">TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256<a href="#appendix-A-2.205" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.206">TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384<a href="#appendix-A-2.206" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.207">TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256<a href="#appendix-A-2.207" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.208">TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384<a href="#appendix-A-2.208" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.209">TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256<a href="#appendix-A-2.209" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.210">TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384<a href="#appendix-A-2.210" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.211">TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256<a href="#appendix-A-2.211" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.212">TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384<a href="#appendix-A-2.212" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.213">TLS_RSA_WITH_ARIA_128_GCM_SHA256<a href="#appendix-A-2.213" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.214">TLS_RSA_WITH_ARIA_256_GCM_SHA384<a href="#appendix-A-2.214" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.215">TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256<a href="#appendix-A-2.215" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.216">TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384<a href="#appendix-A-2.216" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.217">TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256<a href="#appendix-A-2.217" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.218">TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384<a href="#appendix-A-2.218" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.219">TLS_DH_anon_WITH_ARIA_128_GCM_SHA256<a href="#appendix-A-2.219" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.220">TLS_DH_anon_WITH_ARIA_256_GCM_SHA384<a href="#appendix-A-2.220" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.221">TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256<a href="#appendix-A-2.221" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.222">TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384<a href="#appendix-A-2.222" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.223">TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256<a href="#appendix-A-2.223" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.224">TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384<a href="#appendix-A-2.224" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.225">TLS_PSK_WITH_ARIA_128_CBC_SHA256<a href="#appendix-A-2.225" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.226">TLS_PSK_WITH_ARIA_256_CBC_SHA384<a href="#appendix-A-2.226" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.227">TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256<a href="#appendix-A-2.227" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.228">TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384<a href="#appendix-A-2.228" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.229">TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256<a href="#appendix-A-2.229" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.230">TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384<a href="#appendix-A-2.230" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.231">TLS_PSK_WITH_ARIA_128_GCM_SHA256<a href="#appendix-A-2.231" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.232">TLS_PSK_WITH_ARIA_256_GCM_SHA384<a href="#appendix-A-2.232" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.233">TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256<a href="#appendix-A-2.233" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.234">TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384<a href="#appendix-A-2.234" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.235">TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256<a href="#appendix-A-2.235" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.236">TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384<a href="#appendix-A-2.236" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.237">TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256<a href="#appendix-A-2.237" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.238">TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384<a href="#appendix-A-2.238" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.239">TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256<a href="#appendix-A-2.239" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.240">TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384<a href="#appendix-A-2.240" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.241">TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256<a href="#appendix-A-2.241" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.242">TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384<a href="#appendix-A-2.242" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.243">TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256<a href="#appendix-A-2.243" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.244">TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384<a href="#appendix-A-2.244" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.245">TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256<a href="#appendix-A-2.245" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.246">TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384<a href="#appendix-A-2.246" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.247">TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256<a href="#appendix-A-2.247" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.248">TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384<a href="#appendix-A-2.248" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.249">TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256<a href="#appendix-A-2.249" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.250">TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384<a href="#appendix-A-2.250" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.251">TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256<a href="#appendix-A-2.251" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.252">TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384<a href="#appendix-A-2.252" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.253">TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256<a href="#appendix-A-2.253" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.254">TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384<a href="#appendix-A-2.254" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.255">TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256<a href="#appendix-A-2.255" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.256">TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384<a href="#appendix-A-2.256" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.257">TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256<a href="#appendix-A-2.257" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.258">TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384<a href="#appendix-A-2.258" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.259">TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256<a href="#appendix-A-2.259" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.260">TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384<a href="#appendix-A-2.260" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.261">TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256<a href="#appendix-A-2.261" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.262">TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384<a href="#appendix-A-2.262" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.263">TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256<a href="#appendix-A-2.263" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.264">TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384<a href="#appendix-A-2.264" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.265">TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256<a href="#appendix-A-2.265" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.266">TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384<a href="#appendix-A-2.266" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.267">TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256<a href="#appendix-A-2.267" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.268">TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384<a href="#appendix-A-2.268" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.269">TLS_RSA_WITH_AES_128_CCM<a href="#appendix-A-2.269" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.270">TLS_RSA_WITH_AES_256_CCM<a href="#appendix-A-2.270" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.271">TLS_RSA_WITH_AES_128_CCM_8<a href="#appendix-A-2.271" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.272">TLS_RSA_WITH_AES_256_CCM_8<a href="#appendix-A-2.272" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.273">TLS_PSK_WITH_AES_128_CCM<a href="#appendix-A-2.273" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.274">TLS_PSK_WITH_AES_256_CCM<a href="#appendix-A-2.274" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.275">TLS_PSK_WITH_AES_128_CCM_8<a href="#appendix-A-2.275" class="pilcrow">¶</a>
</li>
        <li class="compact" id="appendix-A-2.276">TLS_PSK_WITH_AES_256_CCM_8<a href="#appendix-A-2.276" class="pilcrow">¶</a>
</li>
      </ul>
<aside id="appendix-A-3">
        <p id="appendix-A-3.1">Note: This list was assembled from the set of registered TLS cipher suites when
      <span>[<a href="#RFC7540" class="xref">RFC7540</a>]</span> was developed.  This list includes those cipher suites that do not
      offer an ephemeral key exchange and those that are based on the TLS null, stream, or block
      cipher type (as defined in <span><a href="https://www.rfc-editor.org/rfc/rfc5246#section-6.2.3" class="relref">Section 6.2.3</a> of [<a href="#RFC5246" class="xref">TLS12</a>]</span>).  Additional cipher suites
      with these properties could be defined; these would not be explicitly prohibited.<a href="#appendix-A-3.1" class="pilcrow">¶</a></p>
</aside>
<p id="appendix-A-4">For more details, see <a href="#tls12ciphers" class="xref">Section 9.2.2</a>.<a href="#appendix-A-4" class="pilcrow">¶</a></p>
</section>
</div>
<div id="revision-updates">
<section id="appendix-B">
      <h2 id="name-changes-from-rfc-7540">
<a href="#appendix-B" class="section-number selfRef">Appendix B. </a><a href="#name-changes-from-rfc-7540" class="section-name selfRef">Changes from RFC 7540</a>
      </h2>
<p id="appendix-B-1">This revision includes the following substantive changes:<a href="#appendix-B-1" class="pilcrow">¶</a></p>
<ul class="normal">
<li class="normal" id="appendix-B-2.1">Use of TLS 1.3 was defined based on <span>[<a href="#RFC8740" class="xref">RFC8740</a>]</span>, which this document obsoletes.<a href="#appendix-B-2.1" class="pilcrow">¶</a>
</li>
        <li class="normal" id="appendix-B-2.2">The priority scheme defined in RFC 7540 is deprecated.  Definitions for the format of the
          <a href="#PRIORITY" class="xref">PRIORITY</a> frame and the priority fields in the
          <a href="#HEADERS" class="xref">HEADERS</a> frame have been retained, plus the
          rules governing when <a href="#PRIORITY" class="xref">PRIORITY</a> frames can be
          sent and received, but the semantics of these fields are only described in RFC 7540.  The
          priority signaling scheme from RFC 7540 was not successful.  Using the simpler signaling
          in <span>[<a href="#RFC9218" class="xref">HTTP-PRIORITY</a>]</span> is recommended.<a href="#appendix-B-2.2" class="pilcrow">¶</a>
</li>
        <li class="normal" id="appendix-B-2.3">The HTTP/1.1 Upgrade mechanism is deprecated and no longer specified in this document. It
          was never widely deployed, with plaintext HTTP/2 users choosing to use the prior-knowledge
          implementation instead.<a href="#appendix-B-2.3" class="pilcrow">¶</a>
</li>
        <li class="normal" id="appendix-B-2.4">Validation for field names and values has been narrowed.  The validation that is mandatory
          for intermediaries is precisely defined, and error reporting for requests has been amended
          to encourage sending 400-series status codes.<a href="#appendix-B-2.4" class="pilcrow">¶</a>
</li>
        <li class="normal" id="appendix-B-2.5">The ranges of codepoints for settings and frame types that were reserved for Experimental
          Use are now available for general use.<a href="#appendix-B-2.5" class="pilcrow">¶</a>
</li>
        <li class="normal" id="appendix-B-2.6">Connection-specific header fields -- which are prohibited -- are more precisely and
          comprehensively identified.<a href="#appendix-B-2.6" class="pilcrow">¶</a>
</li>
        <li class="normal" id="appendix-B-2.7">
          <code>Host</code> and "<code>:authority</code>" are no longer permitted to disagree.<a href="#appendix-B-2.7" class="pilcrow">¶</a>
</li>
        <li class="normal" id="appendix-B-2.8">Rules for sending Dynamic Table Size Update instructions after changes in settings have
          been clarified in <a href="#dynamic-table" class="xref">Section 4.3.1</a>.<a href="#appendix-B-2.8" class="pilcrow">¶</a>
</li>
      </ul>
<p id="appendix-B-3">Editorial changes are also included. In particular, changes to terminology and document
        structure are in response to updates to <span><a href="#RFC9110" class="xref">core HTTP
        semantics</a> [<a href="#RFC9110" class="xref">HTTP</a>]</span>. Those documents now include some concepts that were first defined in RFC
        7540, such as the 421 status code or connection coalescing.<a href="#appendix-B-3" class="pilcrow">¶</a></p>
</section>
</div>
<section id="appendix-C">
      <h2 id="name-acknowledgments">
<a href="#name-acknowledgments" class="section-name selfRef">Acknowledgments</a>
      </h2>
<p id="appendix-C-1">Credit for non-trivial input to this document is owed to a large number of people who have
        contributed to the HTTP Working Group over the years.  <span>[<a href="#RFC7540" class="xref">RFC7540</a>]</span> contains a
        more extensive list of people that deserve acknowledgment for their contributions.<a href="#appendix-C-1" class="pilcrow">¶</a></p>
</section>
<section id="appendix-D">
      <h2 id="name-contributors">
<a href="#name-contributors" class="section-name selfRef">Contributors</a>
      </h2>
<p id="appendix-D-1"><span class="contact-name">Mike Belshe</span> and <span class="contact-name">Roberto Peon</span> authored the text that this document is based on.<a href="#appendix-D-1" class="pilcrow">¶</a></p>
</section>
<div id="authors-addresses">
<section id="appendix-E">
      <h2 id="name-authors-addresses">
<a href="#name-authors-addresses" class="section-name selfRef">Authors' Addresses</a>
      </h2>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Martin Thomson (<span class="role">editor</span>)</span></div>
<div dir="auto" class="left"><span class="org">Mozilla</span></div>
<div dir="auto" class="left"><span class="country-name">Australia</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:mt@lowentropy.net" class="email">mt@lowentropy.net</a>
</div>
</address>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Cory Benfield (<span class="role">editor</span>)</span></div>
<div dir="auto" class="left"><span class="org">Apple Inc.</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:cbenfield@apple.com" class="email">cbenfield@apple.com</a>
</div>
</address>
</section>
</div>
<script>const toc = document.getElementById("toc");
toc.querySelector("h2").addEventListener("click", e => {
  toc.classList.toggle("active");
});
toc.querySelector("nav").addEventListener("click", e => {
  toc.classList.remove("active");
});
</script>
</body>
</html>

